ADFS on Azure Virtual Machines (part 3)

Now that we have our VPN between Azure and our on-premises environment up and running (see part 1), and have our Virtual Machines deployed in a configuration that is HA ready, we can move forward with deploying ADDS and ADFS. (Links to other articles in the series are in the conclusion.)

Why Deploy Active Directory To Azure?

We are choosing to deploy ADFS in Azure IaaS so that we can avoid dependence on the on-premises infrastructure for ADFS. In order to remove dependence on the on-premises infrastructure, we have to provide for ADDS within our virtual data center. I recommend that you create an AD site for the Azure Datacenter and bind it to the subnet we are using for Azure virtual machines. I won't walk through that process here, but there is a Technet article in the references section that explains it succinctly if you don't know how to do that.

Deploy ADDS (Active Directory Domain Services)


  1. Create a data disk to store ADDS data. It is absolutely critical (see guide in references for additional information) to the integrity of your ADDS deployment that not store the ADDS data in its default location on the system drive when you are deploying it on an Azure Virtual Machine. The caching configuration on the system drive of an Azure Virtual Machine makes it an unsuitable location for ADDS data. It is relatively easy and inexpensive to install the data on a dedicated volume.
    • In the Azure Management Portal click Virtual Machines > ADFS01 > Dashboard > Attach > Empty Disk
    • You can leave Virtual Machine Name and Storage Location alone. Change the filename to ADFS01_Data; specify 5GB (or an appropriate size for your intended use); set Host Cache Preference to None; and click the finish checkmark.
  2. Connect to ADFS01 by clicking "Connect" on the dashboard to download an .rdp file.
  3. Click File And Storage Services > Disks; select the 5GB disk we created; click to start the New Volume Wizard. Step through the wizard accepting all defaults (changing drive letter and volume label as desired), then click "Create."
  4. Install ADDS
    • In Server Manager, click Manage > Add Roles and Features
    • Click next to advance beyond welcome screen, then next to accept default of Role-based or Feature-based installation. Click next once more to accept the selection of the local server.
    • Check to select Active Directory Domain Services, then click Add Features to install the prerequisite features.
    • Click Next 3 times to advance past Server Roles, Features, and AD DS, then click Install, then close when finished.
  5. Set MTU to 1350 to improve VPN communication performance by avoiding fragmented packets (see article in references for additional information). Open an elevated command prompt and issue:
    netsh interface ipv4 set subinterface "Ethernet 2" mtu=1350 store=persistent
  6. Click the notifcation alert > Promote this server to a domain controller in Server Manager to configure ADDS.
  7. Choose Add a domain controller to an existing domain; specify the FQDN for the domain you want to joinl and specify credentials for a user allowed to add a domain controller to the domain; then click next.
  8. Leave DNS and GC checked and RODC unchecked; choose the site dedicated to Azure IaaS; and specify a DSRM password, then click next.
  9. Ignore the error about DNS delegation (if you don't understand it, it either doesn't apply to you, or you really shouldn't be doing this yourself in an environment as complex as yours. :) Feel free to read up on it, but I won't go over it here) and click next.
  10. Choose which domain controller to replicate from (if you have a prefernce) and click next.
  11. SLOW DOWN AND READ. This is the step where we choose to use the data disk we created and not the default paths on the system drive. Specify F:\ADDS\NTDS for database and log and F:\ADDS\SYSVOL for SYSVOL, then click next.
  12. Click Next to review options and Next to check prerequisites. You can ignore the cryptography warning and the static IP warning, and click Install.
  13. Upon successful promotion, the server will reboot.


After ADFS01 reboots successfully, follow the same steps for ADFS02. (You will either need to wait for replication to complete, then choose ADFS01 in step 10 because the local replication will be faster, and you will avoid data egress charges, OR you can promote ADFS02 right away, but manually specify one of your on-premises domain controllers).

Fix DNS configuration to use Azure ADDS servers

Ready to tear down just about everything we've done so far and rebuild it? No? Well, tough. Unfortunately, it's not currently possible to modify the DNS servers assigned to a Virtual Network once you have deployed items to the Virtual Network. According to promises made on the Azure blog and forums, this is supposed to be fixed very soon. Before following these steps, go see if you can add additional DNS servers to the Virtual Network configuration in the Management Portal. If add the server, click save (twice, for some reason) and then still see a magenta line next to the DNS Server name... read on. If you are able to add DNS Servers successfully, place the Azure DNS Servers at the top of the list and the on-prem ones at the bottom, then reboot all of the VMs, and skip the rest of this section. Also, please let me know in the comments, so I can remove this section!

What we will have to do now is to export the configuration for all of our virtual machines, remove them (leaving the VHDs intact), then re-import them with new DNS Settings. It's not really as bad as it sounds (though it is frustrating to have to do it):

  1. Open an Azure PowerShell window. (I told you we'd need it later. Go here to get it setup if you haven't yet.)
  2. Copy and paste the following a line at a time into the Azure PowerShell window. There is no error handling in it, so I would strongly recommend not trying to run it all once in case something goes wrong. You don't need to paste the comments in (though feel free if you'd like :-) ).
    #So, I know I said one at time, but these next 6 can be pasted all at once after you've modifed them to have the appropriate names and addresses. We're just setting variables that will be used for the cmdlets below.
    $DnsAzure1 = New-AzureDns -Name "ADFS01" -IPAddress ""
    $DnsAzure2 = New-AzureDns -Name "ADFS02" -IPAddress ""
    $DnsOnPrem1 = New-AzureDns -Name "CA01" -IPAddress ""
    $DnsOnPrem2 = New-AzureDns -Name "DFP01" -IPAddress ""
    $AffinityGroup = "ADFSAffinityGroup"
    $VirtualNetwork = "ADFSVirtualNetwork"
    #This statement will export an .xml configuration file for each of your virtual machines. The files will be stored in the root of C (change the path if you like) and will be named with the name of the Virtual Machine.
    Get-AzureService | foreach-object {Get-AzureVM -ServiceName $_.ServiceName} | ForEach-Object {export-azurevm -name $_.Name -ServiceName $_.ServiceName -path ("c:\" + $ +".xml")}
    #STOP! This next command actually removes the Virtual Machines (but not the VHDs) from Azure, so make absolutely certain that the last step completed successfully and that you have all of the .xml files (one per VM).
    Get-AzureService | foreach-object {Get-AzureVM -ServiceName $_.ServiceName} | ForEach-Object {remove-azurevm -name $_.Name -ServiceName $_.ServiceName}
    #These next two can go together if you'd like. These will remove the actual cloud services associated with the virtual machines
    Remove-AzureService -ServiceName ContosoADFS
    Remove-AzureService -ServiceName ContosoADFSP
    #Re-importing the Virtual Machines will fail if we don't have a subscription account selected, so run the following to get your storage account label and replace the placeholder in the following command with your storage account label.
    Get-AzureSubscription | Set-AzureSubscription -CurrentStorageAccount portalvhdsvfpm1y2dx7np2
    #This command will import the virtual machine with the new DNS settings and will recreate the cloud service we removed earlier. Note that these next 4 commands may take a minute or so each to complete. This is normal.
    Import-AzureVM -Path 'c:\ADFS01.xml' | New-AzureVM -ServiceName ContosoADFS -AffinityGroup $AffinityGroup -DnsSettings $DnsAzure1,$DnsAzure2,$DnsOnPrem1,$DnsOnPrem2 -VNetName $VirtualNetwork
    #This command will import the virtual machine with the new DNS settings and add it to the recreated cloud service
    Import-AzureVM -Path 'c:\ADFS02.xml' | New-AzureVM -ServiceName ContosoADFS
    #This command will import the virtual machine with the new DNS settings and will recreate the cloud service we removed earlier
    Import-AzureVM -Path 'c:\ADFSP01.xml' | New-AzureVM -ServiceName ContosoADFSP -AffinityGroup $AffinityGroup -DnsSettings $DnsAzure1,$DnsAzure2,$DnsOnPrem1,$DnsOnPrem2 -VNetName $VirtualNetwork
    #This command will import the virtual machine with the new DNS settings and add it to the recreated cloud service
    Import-AzureVM -Path 'c:\ADFSP02.xml' | New-AzureVM -ServiceName ContosoADFSP
  3. Unfortunately, this process undoes the MTU setting we did earlier (because a new network adapter is created), so you'll need to login to ADFS01 and ADFS02 and issue the following from an elevated command prompt:
    netsh interface ipv4 set subinterface "Ethernet 3" mtu=1350 store=persistent


You now have a functioning pair of ADDS/DNS servers in your Azure virtual data center. I'll leave it to you to configure an AD site and change your replication schedule as desired. Next, we'll deploy ADFS! Here's a quick review of where we've been and where we're going.





Exact Technical Solutions LLC
2435 E. North Street, #118
Greenville, SC  29615
phone: 864.292.9391