I need to understand whether is it possible to add AWS Virtual machine to custom domain controller of Azure.
I have created Active Directory Domain controller in one of the Virtual machine of Azure. Now I have created few virtual machines on AWS (Amazon Web Services). I want to add these machines into Azure custom Domain controller.
Is it possible and if yes, then can someone please guide me on how to do that?
I don't think it is possible with AWS now, but you could try and create a Site-to-Site VPN and test, most likely will not work, but who knows, you might try to replicate your Azure VM DNS network configuration on your AWS VM and see if it helps.
Here's the networking guide for Azure AD Services.
I have tested joining Linux VMs across a Site to Site VPN and they work OK (it was to Azure Active Directory Domain Services, machines could join and users log on).
As the above answer notes however DNS is the killer here. With the Linux boxes I was able to use local config files to save needing to replicate the DNS zone, for Windows boxes you could try hacking the hosts file with some #pre #dom entries but in reality I think you would need a zone replica in your AWS DNS servers for it to work reliably.
Related
I have created my infrastructure through Terraform, the relevant (Azure) resources are
Application Gateway
VMSS (Virtual Machine Scale Set)
Windows VMs => Created/Destroyed by VMSS (Windows VM are in private
subnet, and HTTPS access is through Application Gateway)
Ubuntu based Bastion Host (for RDP and ansible configuration)
So far I am able to configure one of my windows VM through Ansible using psrp protocol, but that was only possible because I knew the private IPV4 of my VM (added the private IP to host file of bastion vm). How can I do it without knowing the IP address(es)?
My other question is how will the Ansible know a new VM has been created and it needs to be configured?
Edit
If you think this is not the best approach, please guide me on how to do it properly? Should I use Packer with custom image? OR is there any other option? The main configuration I want to do is enable IIS and install a few programs like GIT.
Thank you.
The best way IMO is to use a dynamic inventory. Although the doc examples are detailed for clobber and EC2, you will find more info on the included scripts with examples for Azure.
Once you have your dynamic inventory in place, you can refresh it with meta: refresh_inventory whenever you need to.
I feel like I may be trying to sprint before I can even walk here, but I'm getting there! I've got a VM on Azure that I want to be able to access a local fileserver from. We have the following setup:
$COMPANY.net is the local domain, $COMPANY.com is the Azure domain. They are connected using Azure AD Connect, and the VM on Azure is using AADDS; we have a site to site vpn setup between Azure and our local network. I can put in the IP address of the local fileserver and reach it from the Azure VM, but I can't resolve the name if I try that. I believe it is a DNS problem, I need the Azure VM to use my local DNS server to resolve the host name rather than the AADDS addresses. Do I need to set up a DNS server on Azure that will point the requests to my local DNS, or is there another way?
Thank you!
You can specify DNS server for your Azure VM to use. The doc is quite large: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md
Your name resolution needs might go beyond the features provided by Azure. For example, you might need to use Microsoft Windows Server Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios, Azure provides the ability for you to use your own DNS servers.
On Azure, I have a two-VM set (both classic), whereby my web application resides on one VM, my database on another. Both map to the same DNS and belong to the same Resource Group, but both are acting as standalone cloud services at the moment. Let me explain: currently the web application communicates with the database over the public DNS. However, I need them to be on the same lan, so I can de-risk security and improve latency.
I know for a fact that they're not part of a virtual network because when I try to affix a static private IP to my database VM, I'm shown the following prompt in the portal:
This virtual machine can't be configured with a static private IP
address because it's not deployed in a virtual network.
How should I proceed to fix this misconfiguration and what should my next concrete step be? The website is live, and I don't want to risk service interruption. Ideally, both VMs should be in the same virtual network, and should communicate with eachother via a static internal IP. Please forgive my ignorance. Any help would be greatly appreciated.
I guess i'll be the bearer of bad news. You have to delete both VMs while keeping the VHDs in the storage account, then recreate the VMs (reattaching the disks) in the Virtual Network.
Since these are Classic VMs you can use the old Portal when re-creating them. You'll find the VHDs under "My Disks" in the VM creation workflow.
Alternatively, just restrict the inbound access with an ACL on the database Endpoint. Allow the VIP of the first VM and deny everything else. This is good enough for almost any scenario, since if your Web Server gets compromised it's game over. It makes no difference how they exfiltrate stuff off your database (over a VNET or over VIP).
Here's the relevant documentation page for setting up Endpoint ACLs:
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-classic-setup-endpoints/
In a azure virtual network(say vnet1) I have 2 virtual machines(say VM1 & VM2).I have windows server active directory installed in VM1. In vnet setting in azure I have mentioned VM1 as my DNS server.So I can use user credentials in AD(from VM1) to login to VM2.Now I want another virtual network(vnet2) to use same AD(in vnet1) so that I could login to the virtual machines in vnet2 using user credentials in AD in vnet1.I tried putting in public IP of VM1 as a DNS setting in vnet2 but that did not work.I would like to know if this is possible? or I have to use another windows server active directory which would be part of my vnet2?
I would also like to know if there are any network limitations on AD?
Thanks in advance.
You net to do a Site to Site between the Vnets.
Depending on if you are using ASM (Azure Service Manager) or ARM (Azure Resource Manager) the solution might have a different setup and there are many blog posts on how to do a Vnet to Vnet connection but i always try to use the official documentation since it always has the latest supported information.
Here is the guide you are looking for.
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-configure-vnet-to-vnet-connection/
We are planning to rent have two VMs (one for Web Server and another for Database server) on Azure. I would like to know what would be the best way to communicate Database server from web server.
Direct communication using DNS.
Keep both the VMs in Cloud service and use host name to communicate.
Form a virtual network and use the persistent virtual machine IP address to connect to.
Thanks In Advance
you don't want to use the Clud Service host name to communicate between the VMs.
If you want to use DNS, you have to provide DNS - you don't need that too.
For that particular scenario, I would recommend something even simpler:
Put the VMs in the same Cloud service
Do not go for any Virtual Network or DNS Solutions
Use VM Name to connect between the machines.
when the VMs are deployed in the same Cloud Service and not in Virtual Network, Windows Azure provides automatic name discovery. The simplest approach is usually the best.
For more information on name resolution scenarios in Windows Azure, read this paper.