Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1326149%22%20slang%3D%22en-US%22%3EDesign%20Considerations%20of%20Building%20a%20Replica%20Domain%20Controller%20ARM%20Template%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1326149%22%20slang%3D%22en-US%22%3E%3CP%3EInside%20the%20Cloud%20Adoption%20Framework%2C%20the%20first%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fmigrate%2Fazure-best-practices%2Fcontoso-migration-overview%23migration-patterns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emigration%20pattern%3C%2FA%3E%20surrounds%20rehosting%20workloads.%20Since%20rehosting%20means%20workloads%20move%20out%20of%20the%20primary%20datacenter%20and%20into%20Azure%20without%20making%20too%20much%20of%20a%20change%20the%20first%20iteration%2C%20most%20customers%20decide%20to%20build%20out%20replica%20domain%20controllers%20in%20Azure%20after%20hybrid%20connectivity%20is%20set%20up.%20Microsoft%20even%20provides%20an%20excellent%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fidentity%2Fadds-extend-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ereference%20architecture%3C%2FA%3E%20surrounding%20extending%20your%20ADDS%20infrastructure%20into%20Azure.%20The%20big%20takeaways%20are%20covered%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fidentity%2Fadds-extend-domain%23recommendations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erecommendations%3C%2FA%3E%20section%20(and%20we%20covered%20some%20of%20these%20pre-requisites%20during%20the%20last%20blog%20post).%20I%20want%20to%20call%20out%20a%20few%20of%20the%20design%20considerations%20within%20this%20blog%20post%20to%20bring%20awareness%20to%20what%20winds%20up%20deploying%20if%20you%20use%20my%20ARM%20Template%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELoad%20Balancer%20vs%20VM%20Size%20%E2%80%93%20By%20default%2C%20ADDS%20is%20designed%20to%20handle%20replication%2C%20synchronization%2C%20etc.%20A%20load%20balancer%20is%20not%20required%20to%20direct%20requests%20to%20each%20replica%20domain%20controller%2C%20so%20my%20template%20does%20not%20deploy%20a%20load%20balancer%20to%20get%20your%20environment%20up%20and%20functional.%20The%20bigger%20consideration%20is%20ensuring%20you%20have%20the%20correct%20VM%20size%20allocated%20to%20handle%20the%20amount%20of%20authentication%20requests.%20If%20your%20company%20is%20not%20sure%20what%20size%20to%20select%2C%20a%20good%20rule%20of%20thumb%20is%20to%20start%20monitoring%20performance%20of%20your%20on-premises%20ADDS%20domain%20controllers%20(if%20you%20are%20not%20already)%2C%20or%20select%20a%20SKU%20that%20best%20matches%20your%20VM%20size%20on-premises.%20Note%2C%20I%20tend%20to%20deploy%20D%20series%20VMs%20as%20domain%20controllers%20that%20hold%20the%20Active%20Directory%20Domain%20Services%20role%20within%20my%20environments.%3C%2FLI%3E%0A%3CLI%3EStatic%20IPs%20-%20ADDS%20environments%20in%20Azure%20require%20static%20IP%20addresses.%20The%20template%20I%20will%20walk%20you%20through%20already%20has%20that%20information%20sorted%20within%20the%20code.%20Since%20ADDS%20is%20more%20of%20a%20traditional%20IT%20solution%2C%20it%20leans%20upon%20static%20IP%20addresses%2C%20just%20as%20many%20Windows%20environments%20have%20done%20over%20the%20course%20of%20time.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAvailability%20Set%20%E2%80%93%20High%20availability%20(HA)%20is%20a%20must%20for%20any%20IT%20production%20system.%20Within%20Azure%2C%20there%20are%20two%20different%20types%20of%20HA%20configurations%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Fwindows%2Ftutorial-availability-sets%23availability-set-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAvailability%20Sets%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Favailability-zones%2Faz-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAvailability%20Zones%3C%2FA%3E.%20For%20my%20initial%20quickstart%20ARM%20Template%2C%20I%20place%202%20VMs%20into%20an%20Availability%20Set%20vs.%20an%20Availability%20Zone.%20%E2%80%9CWell%2C%20what%20is%20the%20difference%3F%E2%80%9D%20you%20may%20find%20yourself%20asking.%20An%20Availability%20Set%20allows%20workloads%20to%20be%20spread%20over%20multiple%20hosts%20and%20racks%2C%20but%20still%20reside%20in%201%20datacenter.%20The%20typical%20design%20pattern%20is%20to%20place%20the%20VMs%20behind%20a%20load%20balancer%2C%20but%20remember%2C%20domain%20controllers%20do%20not%20need%20to%20be%20behind%20a%20load%20balancer%20(and%20as%20a%20result%2C%20the%20VMs%20in%20my%20template%20are%20not%20behind%20a%20load%20balancer%20as%20I%20covered).%20An%20Availability%20Set%E2%80%99s%20service%20level%20agreement%20(SLA)%20will%20still%20be%20met%20without%20a%20load%20balancer.%20Additionally%2C%20an%20Availability%20Set%20requires%202%20or%20more%20VMs%20to%20meet%20the%20right%20HA%20SLA%20of%2099.95%25%20uptime%20within%201%20of%20Azure%E2%80%99s%20datacenters%20inside%20a%20given%20region.%20An%20Availability%20Zone%20takes%20the%20initial%20concept%20of%20an%20Availability%20Set%20but%20spreads%20the%20workloads%20across%20different%20datacenters%20within%20a%20given%20region.%20Considering%20the%20way%20domain%20controllers%20replicate%2C%20an%20Availability%20Set%20is%20most%20likely%20the%20direction%20to%20go%2C%20however%20an%20Availability%20Zone%20configuration%20means%20you%20will%20have%20a%2099.99%25%20SLA%20related%20to%20uptime.%20Lastly%2C%20an%20Availability%20Zone%20will%20require%20a%20load%20balancer%20to%20unify%20the%20workload%20across%20multiple%20datacenter%20regions.%3C%2FLI%3E%0A%3CLI%3ESeparate%20Data%20Disk%20-%20Microsoft's%20best%20practice%20recommendation%20is%20to%20store%20the%20database%2C%20logs%2C%20and%20sysvol%20folder%20on%20a%20separate%20drive%20for%20ADDS.%20Azure%20implements%20write%20caching%20on%20the%20OS%20disk%20of%20virtual%20machines.%20Write%20caching%20can%20cause%20some%20headaches%20for%20databases%20such%20as%20the%20database%20Active%20Directory%20uses.%20As%20a%20result%2C%20you%20will%20want%20the%20separate%20data%20disk%20to%20not%20have%20caching%20enabled%20and%20my%20template%20factors%20in%20that%20design%20consideration.%3C%2FLI%3E%0A%3CLI%3ERead%20Only%20Domain%20Controllers%20-%20A%20lot%20of%20the%20customers%20I%20have%20worked%20with%20become%20extremely%20security%20conscious%20related%20to%20deployments%20in%20Azure.%20RODCs%20are%20supported%20in%20Azure%2C%20but%20really%20RODCs%20are%20for%20when%20you%20cannot%20guarantee%20the%20physical%20security%20of%20the%20server.%20With%20Azure's%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fphysical-security%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Etight%20controls%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fazure-disk-encryption-vms-vmss%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edisk%20encryption%3C%2FA%3E%2C%20it's%20unlikely%20a%20domain%20controller%20could%20be%20%22stolen%22%20in%20a%20way%20where%20a%20RODC%20would%20help.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20working%20with%20customers%20surrounding%20Azure%20adoption%2C%20there%20have%20only%20been%20a%20handful%20of%20times%20when%20customers%20chose%20to%20build%20out%20a%20cloud%20island%20(where%20nothing%20talks%20to%20on-premises)%20or%20built%20out%20a%20brand-new%20forest%20in%20Azure%20that%20trusted%20production%20(but%20production%20did%20not%20trust%20the%20Azure%20forest).%20I%20would%20say%2085-90%25%20of%20the%20time%2C%20customers%20decide%20to%20extend%20their%20ADDS%20environment%20into%20Azure%2C%20as%20it%20matches%20up%20to%20where%20most%20enterprises%20land%20(and%20where%20we%20will%20be%20for%20a%20bit)%3A%20hybrid.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETune%20in%20next%20week%20as%20we%20start%20exploring%20the%20code%20I%20have%20developed%20so%20you%20can%20start%20to%20feel%20more%20comfortable%20with%20what%20an%20automated%20replica%20domain%20controller%20build%20looks%20like%20using%20an%20ARM%20Template.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1326149%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EThis%20post%20walks%20the%20reader%20through%20design%20considerations%20to%20broaden%20an%20understanding%20of%20what%20the%20ARM%20Template%20deploys%20and%20why.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22azure-resource-manager-export-deploy-template-portal-Shannon-Kuehn.png%22%20style%3D%22width%3A%20367px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182518iF07838B6B306082E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22azure-resource-manager-export-deploy-template-portal-Shannon-Kuehn.png%22%20alt%3D%22azure-resource-manager-export-deploy-template-portal-Shannon-Kuehn%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3Eazure-resource-manager-export-deploy-template-portal-Shannon-Kuehn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1326149%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EShannon%20Kuehn%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Inside the Cloud Adoption Framework, the first migration pattern surrounds rehosting workloads. Since rehosting means workloads move out of the primary datacenter and into Azure without making too much of a change the first iteration, most customers decide to build out replica domain controllers in Azure after hybrid connectivity is set up. Microsoft even provides an excellent reference architecture surrounding extending your ADDS infrastructure into Azure. The big takeaways are covered in the recommendations section (and we covered some of these pre-requisites during the last blog post). I want to call out a few of the design considerations within this blog post to bring awareness to what winds up deploying if you use my ARM Template:

 

  • Load Balancer vs VM Size – By default, ADDS is designed to handle replication, synchronization, etc. A load balancer is not required to direct requests to each replica domain controller, so my template does not deploy a load balancer to get your environment up and functional. The bigger consideration is ensuring you have the correct VM size allocated to handle the amount of authentication requests. If your company is not sure what size to select, a good rule of thumb is to start monitoring performance of your on-premises ADDS domain controllers (if you are not already), or select a SKU that best matches your VM size on-premises. Note, I tend to deploy D series VMs as domain controllers that hold the Active Directory Domain Services role within my environments.
  • Static IPs - ADDS environments in Azure require static IP addresses. The template I will walk you through already has that information sorted within the code. Since ADDS is more of a traditional IT solution, it leans upon static IP addresses, just as many Windows environments have done over the course of time. 
  • Availability Set – High availability (HA) is a must for any IT production system. Within Azure, there are two different types of HA configurations: Availability Sets and Availability Zones. For my initial quickstart ARM Template, I place 2 VMs into an Availability Set vs. an Availability Zone. “Well, what is the difference?” you may find yourself asking. An Availability Set allows workloads to be spread over multiple hosts and racks, but still reside in 1 datacenter. The typical design pattern is to place the VMs behind a load balancer, but remember, domain controllers do not need to be behind a load balancer (and as a result, the VMs in my template are not behind a load balancer as I covered). An Availability Set’s service level agreement (SLA) will still be met without a load balancer. Additionally, an Availability Set requires 2 or more VMs to meet the right HA SLA of 99.95% uptime within 1 of Azure’s datacenters inside a given region. An Availability Zone takes the initial concept of an Availability Set but spreads the workloads across different datacenters within a given region. Considering the way domain controllers replicate, an Availability Set is most likely the direction to go, however an Availability Zone configuration means you will have a 99.99% SLA related to uptime. Lastly, an Availability Zone will require a load balancer to unify the workload across multiple datacenter regions.
  • Separate Data Disk - Microsoft's best practice recommendation is to store the database, logs, and sysvol folder on a separate drive for ADDS. Azure implements write caching on the OS disk of virtual machines. Write caching can cause some headaches for databases such as the database Active Directory uses. As a result, you will want the separate data disk to not have caching enabled and my template factors in that design consideration.
  • Read Only Domain Controllers - A lot of the customers I have worked with become extremely security conscious related to deployments in Azure. RODCs are supported in Azure, but really RODCs are for when you cannot guarantee the physical security of the server. With Azure's tight controls and disk encryption, it's unlikely a domain controller could be "stolen" in a way where a RODC would help.

In working with customers surrounding Azure adoption, there have only been a handful of times when customers chose to build out a cloud island (where nothing talks to on-premises) or built out a brand-new forest in Azure that trusted production (but production did not trust the Azure forest). I would say 85-90% of the time, customers decide to extend their ADDS environment into Azure, as it matches up to where most enterprises land (and where we will be for a bit): hybrid.

 

Tune in next week as we start exploring the code I have developed so you can start to feel more comfortable with what an automated replica domain controller build looks like using an ARM Template.