Getting started with IaaS on Microsoft Azure

Hosting replica domain controllers in the Azure cloud is one of the most compelling reasons to extend your on-premises Active Directory.  A replica DC is nothing more than another domain controller that is located on the distributed Azure network.  Just like a local environment, it requires a dedicated VM and reliable network connectivity to the other domain controllers in the domain and forest.  All the configuration was done on Windows 2008 R2. The secret sauce that allows your local network to connect to the Azure network is the point to site or site to site VPN. This post will focus on the point to site VPN since it can be used regardless of the type of firewall or VPN device on your local network.  Microsoft is currently pretty limited with their site to site offering.  This link provides a supported list:

Configuring a point to site VPN

A point-to-site VPN connects a single machine in your network, like a domain controller, to the entire virtual network configured in Azure.  It does this by utilize a certificate based VPN that has matching certs installed on the target machine and uploaded to Azure.  This connects your local DC to the cloud DC.  Of course, you still need to do the AD basics of configuring sites, assigning subnets and verifying replication.  The certificate can be self signed but needs a root certificate and its private key.  To make the connection you need to

  1. create the root cert
  2. create the client certificate
  3. install the client cert on the target machine
  4. Upload the root certificate to Azure
  5. Download the precompiled VPN client

To create the certificate you need the utility makecert.exe from the Visual Studio SDK.  When you have makecert installed, use it to create a root certificate and a client certificate with these commands:

makecert -sky exchange -r -n "CN=<RootCertificateName>" –pe -a sha1 -len 2048 -ss My

makecert.exe -n "CN=<CertificateName>" -pe -sky exchange -m 96 -ss My -in "<RootCertificateName>" -is my -a sha1

If you want to connect multiple point-to-site VPN connections, you can export the client certificate with its private key as a .pfx file.  Otherwise, you can skip it and just export the root certificate as a .cer file.  That .cer file needs to be uploaded to Windows Azure to create the VPN connection binary.

After uploading the certificate, Azure will churn for a while and then produce a ready to install network object that is preconfigured for your virtual network’s gateway and the root certificate you installed.  It actually works extremely well.  The next step is to install the package, go to your network adapters, right click and select connect.  You will be prompted for elevated privileges so that CMROUTE.DLL can update the internal routes on the server.

You can verify the new routes or check these with the old standby command “route print”

Once it connects you are all set!  You can see the data being transferred between the networks in the Azure dashboard and virtual machines running on Azure will be able to communicate with the point server.  Make sure to check those local firewalls if you are troubleshooting!