SMB Azure Business Continuity and Disaster Recovery

Active Directory Domain Services
Business Continuity and Disaster Recovery Guide

Prepared by

Robert DeLuca, Jim Phillipps, James Svolos, David Reynolds Stavan Patel, Henry Robalino,
Jason Beck, Alejandra Hernandez, and Joel Yoker

Version 1.0

Update [Customer] in Doc Properties

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our
provision of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you.
Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee
their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult
their respective manufacturers.

© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express
authorization of Microsoft Corp. is strictly prohibited.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

ii
SMB Azure Business Continuity and Disaster Recovery
Prepared by Robert DeLuca, Jim Phillipps, James Svolos, David Reynolds Stavan Patel, Henry Robalino, Jason Beck, Alejandra
Hernandez, and Joel Yoker
"361936590.docx"

Jim Phillipps. Microsoft Azure Revision and Signoff Sheet Change Record Date Author Version Change Reference 2/4/2015 SMB 1. James Svolos. Henry Robalino. David Reynolds Stavan Patel. Jason Beck.0 Initial Release SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Alejandra Hernandez. and Joel Yoker "" .

.... and Site Link in Active Directory ....4........................5 Confi gure DNS and Join Virtual Machine to the Domain.................................................2 Add Data Disk for Active Directory Database..4 Create Site.....................................................3 Scenario Overview..........................................................4................2 Dependencies................................................................. 6 1...23 4 Appendix: Configure Azure Virtual Networks and Site to Site VPN Gateway........3 Confi gure the Attached Data Disk on the Virtual Machine.....................1 High-Level Scenario Overview......................................................................4.4..3 Design and Deployment Considerations......... David Reynolds Stavan Patel.....15 2........13 2.....................................................22 3........ 24 SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca....... 20 3............2 Dependencies...........19 3 Scenario 2: Active Directory Backup to Azure Data Disks...................................................... and Joel Yoker "" ........................1 Using the Document............................. James Svolos...........4 Configuration and Walkthrough Steps.......................................................................................... 7 2 Scenario 1: Host an Active Directory Domain Controller in Windows Azure...................................2 Confi gure Windows Server Backup................................................................22 3.1 High-Level Scenario Overview......6 1.........................................1 Dependencies................................................................................ 10 2..............................................22 Install Windows Server Backup...........................13 2......................... Jason Beck..................4...............................4 Configuration and Walkthrough Steps................... 11 2...................4.......................... Henry Robalino............................................................9 2.......................6 Promote Windows Azure Virtual Machine to a Domain Controller.....24 4...................... 9 2.................................. 6 1.......................................... 21 3....................................................................................................................... 21 3..................1 Deploy Windows Server Virtual Machine in Azure.............................12 2............................................................4.................................................20 3.............................................. Alejandra Hernandez.....4..................4..................................... Microsoft Azure Table of Contents 1 Introduction................................................................................16 2.3 Design and Deployment Considerations........2 Azure Business Continuity and Disaster Recovery (BCDR)..................... Jim Phillipps....................3 Test Backup Settings...............................................4.............. Subnet......... 21 3........................... 9 2...11 2.............................7 Verify Domain Controller Functionality.............................................................................1 Attach Azure Data Disk to Domain Controller Virtual Machine ......................................................

......... David Reynolds Stavan Patel..........24 4..........2..3 Connect the Azure Gateway...................2 Confi gure Local Edge Server..........................1 Setup Virtual Network in Azure.26 SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca......25 4............... Microsoft Azure 4.. Henry Robalino................ 24 4.2 Configuration and Walkthrough Steps................................... Jason Beck...............2.. James Svolos............ Jim Phillipps.................................... and Joel Yoker "" ....................................2......................................... Alejandra Hernandez............................

There are three main decision points which drive whether public or hybrid cloud constructs can be used to support BCDR within a given cloud-hosted application or service – these being the data location. Availability targets in cloud environments can be achieved through the combination of native workload constructs and the capabilities of the hosting cloud infrastructure. David Reynolds Stavan Patel.1 Using the Document You should use this document to support lab and production configurations during customer engagements. When combined with public and hybrid cloud constructs. Auzre guidance on supporting BCDR scenarios can be divided across public and hybrid cloud environments using each environment’s unique capabilities. these decision points form the basis for a comprehensive cloud-based BCDR strategy. and Joel Yoker "" . Jason Beck. 1. It includes sections outlined by technical scenario and is generalized to support several types of workload deployments. by System Center Virtual Machine Manager. but the aim of the document is to simplify and outline common configuration steps associated with each scenario. workloads in a cloud infrastructure must leverage the capabilities of the cloud’s fabric and fabric management infrastructure. It may not align exactly with the customer infrastructure. James Svolos. Henry Robalino. Microsoft Azure 1 Introduction This document is intended to provide technical details for supporting Business Continuity and Disaster Recovery planning for generic virtual machine workloads.2 Azure Business Continuity and Disaster Recovery (BCDR) To enable business continuity and disaster recovery (BCDR) in the event of catastrophic failure. Jim Phillipps. Alejandra Hernandez. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. managed and not managed. 1. the failover mechanism and Backup (and subsequent restoration) method.

the following scenarios are defined: 1. Jason Beck.3 Scenario Overview The aforementioned CPIF BC/DR options can be applied to each workload using a series of scenarios. On-Premises DCs with Delayed Replication DC in Azure VM – This scenario outlines providing DR capabilities for on-premises Active Directory Domain Services through cloud-based domain controller virtual machines with a delayed replication interval. While these do not encompass all of the potential possible scenarios one could establish for BC/DR of Active Directory Domain Services using cloud infrastructures. On-Premises DCs with Replica DC in Azure VM – This scenario outlines providing DR capabilities for on-premises Active Directory Domain Services through cloud-based domain controller virtual machines. 3. For Active Directory Domain Services. Figure 1: Cloud-enabled BCDR Framework This document will cover these areas as they relate to standard virtual machine/workload deployments. 2. it provides a basis for the SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. David Reynolds Stavan Patel. 1. Jim Phillipps. and Joel Yoker "" . Henry Robalino. Delayed replication allows a time window during which invalid or improper changes to Active Directory can be rolled back through the “authoritative restore” process. Backup of Azure-based DC to Azure Data Disk – This scenario outlines scenarios related to backup and restore of Active Directory domain controllers to dedicated backup disks attached to Microsoft Azure IaaS Virtual Machines. Alejandra Hernandez. James Svolos. Microsoft Azure This spectrum of options is illustrated in the model below.

and Joel Yoker "" . David Reynolds Stavan Patel. Henry Robalino. Jason Beck. This documentation assumes that the reader has access to and a working knowledge of the Windows Server Hyper-V and System Center private cloud environment and has access to a Microsoft Azure subscription. James Svolos. Microsoft Azure most common scenarios which would be encountered. These scenarios will be expanded as newer data and cloud platform capabilities come available. Jim Phillipps. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Alejandra Hernandez. The following sections provide step-by-step examples of how these scenarios can be established in a cloud environment.

James Svolos. David Reynolds Stavan Patel. Jim Phillipps. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Jason Beck.1 High-Level Scenario Overview Through connecting an on-premises network with an Azure virtual network via Site-to-Site VPN and promoting an Azure virtual machine to a domain controller domain users and system will be able to maintain a level of functionality in case of catastrophic failure of the on-premises Active Directory infrastructure. Henry Robalino. 2. Alejandra Hernandez.2 Dependencies  Install and configure Windows Azure PowerShell on local machine. and Joel Yoker "" . Figure 3: High-level Solution Architecture 2. Microsoft Azure 2 Scenario 1: Host an Active Directory Domain Controller in Windows Azure This section describes the scenario of deploying a domain controller within Microsoft Azure for disaster recovery of Active Directory Domain Services.

Azure bandwidth charges. James Svolos. 2. Jason Beck. servers. For configuration simplicity and reduced time-to-recovery. The decision to use schedule-driven replication or notification-driven replication over the Azure site link should consider network traffic. Jim Phillipps. Azure-based domain controllers in a separate site will not regularly service clients and servers from other sites. and RRAS gateway. Users with administrator access to the Azure Subscription have access to a domain controller image and domain accounts. and client computers have access to the virtual network subnet at all times. rather than waiting for a failure to occur before allowing server and client access. Adjustment of site link costs and DC locator DNS records can be used to optimize replication patterns. and the risk of losing on- premises Active Directory changes in the event of an on-premises domain controller failure. Azure-based domain controllers should reside in a dedicated Active Directory site with an appropriate site link connecting the site to existing on-premises site(s). David Reynolds Stavan Patel.3 Design and Deployment Considerations When hosting a domain controller in Windows Azure it is important to restrict access to the Azure Subscription. but will delay failover to Azure domain controllers and may require manual administrator intervention. local network. In the default configuration. but some traffic may be seen if domain controllers are located using non-site-specific global records. The Azure virtual network should have no publicly accessible endpoints. This can be disabled to reduce network traffic. Global locator record registration is important as it allows Azure domain controllers to quickly service Active Directory clients in the event of an on-premises domain controller failure. site coverage. Henry Robalino. and discovery of domain controllers by clients and servers. On-premises servers and workstations must also have connectivity to the virtual network address space to communicate with Azure-based domain controllers in the event of an on-premises domain controller failure. Microsoft Azure  Complete the configuration of Windows Azure virtual network. Schedule-driven replication may help decrease network traffic depending on the nature of your SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Alejandra Hernandez. it is recommended that domain controllers. Azure ExpressRoute is recommended to increase the reliability and speed of the connection. with the only connection being the site-to-site VPN.  Create on-premises sites and subnets in Active Directory. and Joel Yoker "" . Azure will effectively become a new location for your organization. Azure Subscription administrators must be trusted as domain administrators. The Azure virtual network address space must be reachable from one or more on-premises domain controllers for Active Directory replication to occur.

the configuration steps should be followed for each domain that requires disaster recovery capabilities. 2. or can be configured in separate sites if your organization’s requirements dictate such a configuration. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Jason Beck. Continue to the virtual machine configuration. Notification-driven replication will minimize replication latency. crash. standard. Select “Create a new cloud service”. David Reynolds Stavan Patel. Azure domain controllers are configured as DNS servers and can host all required DNS zones. and site link configuration. subnet.4 Configuration and Walkthrough Steps 2.4. if clients and servers are configured with Azure domain controllers as a secondary or tertiary DNS server. reset. All Azure domain controllers can reside on the same virtual network and share a common Active Directory site. 2. Alejandra Hernandez. enter computer name. Select a Windows Server 2012 R2 Datacenter Image.1 Deploy Windows Server Virtual Machine in Azure 1. The Active Directory database. Consider the DNS configuration of your organization and determine the appropriate failover/DR approach. Configure the version (select the latest date). but this does not mean clients and servers will automatically use them in the event of an on-premises DC/DNS failure. Henry Robalino. and Joel Yoker "" . administrator name use and password. 4. the appropriate size. The configuration and walkthrough steps provided below configure one domain controller to service a single-domain Active Directory environment. Microsoft Azure organization’s Active Directory change patterns. Note: If a cloud service exists. ensuring any Active Directory changes made to on-premises domain controllers are quickly replicated to cloud-based domain controllers. and SYSVOL should be placed on a separate Azure data disk to ensure data persistence through any site repair or recovery. select the existing service and skip to step number 5. some additional Azure network traffic will likely be seen during normal operations. From the Microsoft Azure Management Portal (Azure Portal) create new virtual machine in Compute -> Virtual Machine -> From Gallery. and to ensure Active Directory database integrity in the case of a VM failure. 3. On the other hand. some level of intervention will be required to leverage the Azure domain controllers for DR. Jim Phillipps. James Svolos. or other case where the operating system is not shut down cleanly. logs. If clients and servers are pointing exclusively to on-premises domain controllers for DNS. In the case of multiple domains or forests.

Select the appropriate Affinity Group. Note: The name of the cloud service is the name of the new virtual machine being created and can be modified if needed. The status next to your new virtual machine should be a green check mark “Running”. 9. select the appropriate one. Jason Beck. If there are additional subnets. Note: The subnet will be filled in based on the affinity. Continue and the new virtual machine will be prepared. Microsoft Azure Figure 4: Virtual Machine Configuration in Azure Portal. Continue to the next Virtual machine configuration page. 10. Select an Availability Set if one is appropriate. 6. James Svolos. Henry Robalino. 8. Alejandra Hernandez. 12. Use an automatically generated Storage Account. Jim Phillipps. and Joel Yoker "" . unless a previously created storage account is necessary. 7. David Reynolds Stavan Patel. Figure 5: Virtual Machines in Azure Portal. Check the boxes for VM Agent and Microsoft Anti-Malware. 11. 5. Confirm the virtual machine was created by navigating to Virtual Machines in the Azure Portal. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca.

Initialize and format the data disk in Disk Management. select New Site. 2. 5.2. Open Active Directory Sites and Services. Connect to the virtual machine from the Azure Portal. Connect to an on-premises domain controller as an Administrator. 2. right-click on Subnets and select New Subnet. In Active Directory Sites and Services under Sites.4. David Reynolds Stavan Patel. Configure the cache option to NONE.3 Configure the Attached Data Disk on the Virtual Machine 1. Right-click on Sites.4 Create Site. Enter the Prefix to the Azure Virtual Network Subnet (i. Enter the Administrator credentials. 2. and Site Link in Active Directory Complete this step with Windows PowerShell 1. 3.e. Select the virtual machine created in the last section. Figure 6: Configuration options for attaching an empty disk. 2.4. 4. 3. Subnet. Jim Phillipps. 2. 5. Enter the desired site name for the Azure Site and select the default site link and click OK. 6. Henry Robalino. 3. Microsoft Azure 2. 4. 192.4. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca.168. Enter the desired size of the disk. Note: The site link will be changed to a new “Azure to on-premises” site link in a later step. At the button of the management portal select Attach -> Attach Empty Disk. Continue to create and attach the new disk. Alejandra Hernandez. Jason Beck.2 Add Data Disk for Active Directory Database 1.0/24). 6. Navigate to Virtual Machines in the Azure Portal. and Joel Yoker "" . James Svolos.

This will likely be a cost higher than the cost used on most on-premises site links. and click Next. 8. then IP. In the Site-Link Properties. Alejandra Hernandez. etc). Enter the desired Name (i. Note: The Site-Link must contain the Azure site and one or more on-premises sites. 9.e. navigate to the Attribute Editor tab. Jason Beck. Microsoft Azure 7. 14. Back in Active Directory Sites and Services under Sites. David Reynolds Stavan Patel. AzureSite-OnPremSite) for the Site-Link and select the sites to be added to the link (i.e. James Svolos. Jim Phillipps. Optional: Configure Change Notification for the new Site-Link. 11. Inter-Site Transports. Locate the Attribute options. 12. Select the Site created for the Azure domain controller. 13. and select Edit. right-click on the Site-Link created in the last step and select Properties. 10. and Joel Yoker "" . Note: Choose a cost to reflect the appropriate replication and site coverage preferences. Henry Robalino. Enter the desired Cost and Replication time in minutes. OnPremSite. right-click on IP and select New Site-Link. In Active Directory Sites and Services under Sites. then Inter-Site Transports. AzureSite. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca.

SiteName1[. Create New Site: New-ADReplicationSite -Name <"Azure Site Name"> Create New Subnet: New-ADReplicationSubnet -Name <"Azure Virtual Network Subnet Prefix"> -Site <Azure Site> Create New Site Link: New-ADReplicationSiteLink -Name "<SiteLinkName>" -SitesIncluded <CloudSite. configure the IPv4 TCP/IP Settings. David Reynolds Stavan Patel. Alejandra Hernandez. Also. and Joel Yoker "" . the Site-Link must contain the Azure site and one or more on-premises sites. James Svolos.5 Configure DNS and Join Virtual Machine to the Domain Complete this step with Windows PowerShell 1.SiteName2]> -Cost <SiteLinkCost> -ReplicationFrequencyInMinutes <ReplicationTime> -InterSiteTransportProtocol IP -OtherAttributes @{'options'=1} Note: Choose a cost to reflect the appropriate replication and site coverage preferences. Jason Beck. Jim Phillipps. run at an administrator-level Windows PowerShell command prompt. 2. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. This will likely be a cost higher than the cost used on most on-premises site links. In the Azure Virtual Machine. Henry Robalino. perform the same function as the preceding procedure. Windows PowerShell equivalent commands The following Windows PowerShell commands. Enter the value of 1 to enable change notifications and a value of 0 to disable.4. Microsoft Azure 15.

5. run at an administrator-level Windows PowerShell command prompt. open the Ethernet interface and select Properties.6 Promote Windows Azure Virtual Machine to a Domain Controller Complete this step with Windows PowerShell SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. 8. Open the Network and Sharing Center. 9. Alejandra Hernandez. Select the Domain radial button and enter the on-premises domain and click OK. In Control Panel navigate. “127. Jim Phillipps. Windows PowerShell equivalent commands The following Windows PowerShell commands. enter on-premises administrator credentials.0. 7. 4.0.1). select Change Settings. After the successfully joining the domain. In the Computer Name tab. David Reynolds Stavan Patel. Configure DNS: DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses ( “<On-Premises DNS IPv4 Address>”.1”) Join Virtual Machine to the Domain: Add-Computer -DomainName <On-Premises Domain> Restart-Computer 2. select Change. domain and workgroup settings. then System. 3.4.0. Restart the virtual machine.0. 6. Under Computer name. Jason Beck. When prompted. Henry Robalino. Configure the preferred DNS server to the on-premises DNS address and the secondary DNS server to the loopback address (127. Microsoft Azure 2. James Svolos. and Joel Yoker "" . System and Security.

After the installation is complete. Click next to continue. Enter and confirm the Directory Services Restore Mode (DSRM) and click Next. This will launch the Active Directory Domain Services Configuration Wizard. 7. Click Next on the AD DS page. Add a domain administrator account for the credentials and click Next. Navigate to Add Roles and Features. the virtual machine will automatically reboot on completion. 21. 12. Select Add a domain controller to an existing domain radial button. In the Server Selection page Select a server from the server pool radial button and select the desired server from the list. 10. 20. Jim Phillipps. Note: The site can be changed in the future if the proper site has not been created yet. David Reynolds Stavan Patel. 19. 9. review the features and click Add Features. 4. On the next page select the Role based or featured based installation radial button and click Next. 11. 16. Connect to the virtual machine and open the Server Manager. 8. On the Confirmation page check the box Restart the destination server automatically if required and click Install. 17. Click Next on the Features page. In the new window. 6. Click on the flag with the yellow warning icon. 13. Microsoft Azure 1. 18. Click Next on the Before You Begin. and Joel Yoker "" . Select the site created for the Azure. On the Server Roles page select Active Directory Domain Services role. Check the boxes for Domain Name System (DNS) Server and Global Catalog (GC). 2. Henry Robalino. Jason Beck. return to the Server Manager. . James Svolos. In the down drop select Promote this server to a domain controller. 15. This will take a few minutes to complete. Enter your on-premises domain into the domain section. 14. Alejandra Hernandez. 3. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. 5.

25. Note: Be sure to change all of the drive paths (“X”) to the Attached Empty Disk from the previous section.e. James Svolos. Review the configuration on the Review Options page and click Next. On the Path page. Review the warnings on the Prerequisites Check page and click Install. Select the domain controller to replicate from in the Additional Options page and click Next. and Joel Yoker "" . 23. David Reynolds Stavan Patel. “X:\Windows\NTDS”) and click Next. 24. Review the DNS Options page and click Next. change the path letter to new attached disk (i. Windows PowerShell equivalent commands The following Windows PowerShell commands. Microsoft Azure 22. Jim Phillipps. Jason Beck. Alejandra Hernandez. run at an administrator-level Windows PowerShell command prompt. Henry Robalino. 26. Install-WindowsFeature AD-Domain-Services -IncludeManagementTools Use the following script to promote the virtual machine to a domain controller: # # Windows PowerShell script for AD DS Deployment # Import-Module ADDSDeployment Install-ADDSDomainController ` SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca.

In an administrative command prompt. James Svolos. Microsoft Azure -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -CriticalReplicationOnly:$false ` -DatabasePath "X:\NTDS" ` -DomainName "<Corporate Domain>" ` -InstallDns:$true ` -LogPath "X:\NTDS" ` -NoRebootOnCompletion:$false ` -SiteName "<Created Site for Azure>" ` -SysvolPath "X:\ SYSVOL" ` -Force:$true Note: Be sure to change all of the drive paths (“X”) to the Attached Empty Disk from the previous section.4. and Joel Yoker "" . Verify that the tests ran successfully. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Alejandra Hernandez. Connect to the virtual machine.7 Verify Domain Controller Functionality 1. Henry Robalino. Jim Phillipps. David Reynolds Stavan Patel. All the <Bold> area are to be change to customer specific details. Jason Beck. 2. 2. enter: DCDiag /c /v 3.

but these techniques are not a replacement for full domain controller backups. location failures. Figure 7: High-level Solution Architecture SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. 3. Henry Robalino. Microsoft Azure 3 Scenario 2: Active Directory Backup to Azure Data Disks This scenario outlines scenarios related to backup and restore of Active Directory domain controllers to dedicated backup disks attached to Microsoft Azure IaaS Virtual Machines. Backups are stored on an Azure data disk attached to each domain controller virtual machine. Having multiple domain controllers in geographically dispersed locations and using techniques such as delayed replication sites can provide protection against server failures.1 High-Level Scenario Overview Active Directory domain controller backups are a critical part of an Active Directory disaster recovery strategy. Jason Beck. This scenario describes the basic configuration of Windows Server Backup to maintain backups of a cloud-based domain controller. and Joel Yoker "" . and some types of content issues within Active Directory. Alejandra Hernandez. David Reynolds Stavan Patel. James Svolos. Jim Phillipps.

2 Dependencies Complete the configuration of Scenario 1: Host an Active Directory Domain Controller in Windows Azure. Active Directory domain controller backups are generally only valid within the Active Directory forest tombstone lifetime. Alejandra Hernandez. but this is a complex scenario outside the scope of this scenario guide. Windows Server Backup will automatically retain backups on locally-attached dedicated backup disks and remove old backups as needed. including system state. 3. Jason Beck. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Microsoft recommends that at least two domain controllers in each domain are backed up regularly. and Joel Yoker "" . There are situations where domain controller backups older than the forest tombstone lifetime can be used to initiate a full forest recovery. logs.3 Design and Deployment Considerations This scenario will use Windows Server Backup to perform a full backup. Testing is recommended to determine the most appropriate backup disk size. including all dependencies. The following steps should be repeated for each domain controller to be protected.4 Configuration and Walkthrough Steps This scenario walkthrough covers the configuration of Windows Server Backup for a single domain controller hosted in Windows Azure. Henry Robalino. Microsoft Azure 3. and SYSVOL. Assistance from Microsoft Support is recommended if attempting such a recovery. Azure-based domain controller backup can be used as a complement to or as a replacement for on-premises backup. Jim Phillipps. James Svolos. 3. In general. Consider this recommendation when deciding on a backup strategy and create additional Azure-based domain controllers as needed. David Reynolds Stavan Patel. Ensure that any Azure subscription administrators and co-administrators are trusted to the same degree as domain administrators. Domain controller backups must be secured to the same degree as domain controllers. of each Active Directory domain controller hosted in Windows Azure. Storage required for backups will vary based on the size of your organization’s domain controller virtual machines including the size of the Active Directory database.

perform the same function as the preceding procedure.1 Attach Azure Data Disk to Domain Controller Virtual Machine 1. Windows PowerShell equivalent commands The following Windows PowerShell commands. right click Local Backup and select Backup Schedule… to start the Backup Schedule Wizard 2. On the Getting Started page. click Next 3. select Add Roles and Features and follow the wizard to install the Windows Server Backup feature. Install Windows Server Backup 1. add a data disk to an Azure domain controller virtual machine with non-delayed replication. Jim Phillipps. Henry Robalino.4. and Joel Yoker "" . Select an appropriate data disk size based on the expected backup size and number of backups you want to store. select Back up to a hard disk that is dedicated for backups (recommended) and click Next 6. On the Select Destination Disk page. click Show All Available Disks SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. James Svolos. select Full server (recommended) and click Next 4. configure the desired backup schedule and click Next 5.2 Configure Windows Server Backup 1. Jason Beck. On the Select Backup Configuration page. Alejandra Hernandez.4. From Server Manager. Start the Windows Server Backup console. Note: The data disk need not be initialized or formatted at this time. Microsoft Azure 3. Windows Server Backup will automatically initialize and format the backup disk when a backup schedule is configured. On the Specify Backup Time page. Using the Azure management console. Install Windows Server Backup: Install-WindowsFeature Windows-Server-Backup 3. David Reynolds Stavan Patel. run at an administrator-level Windows PowerShell command prompt. On the Specify Destination Type page.

If the instructions in this guide have been followed. 9. In the Show All Available Disks dialog. Be sure not to select the data disk in use by Active Directory for its database. David Reynolds Stavan Patel. Click Close when the backup schedule creation is complete. Jim Phillipps. select Scheduled backup options and click Next 3. logs. Verify all settings on the Confirmation page and click Finish to format the backup data disk and create the new backup schedule. Microsoft Azure 7. 8. Wait for backup completion and ensure the backup is successful. Note: Testing the validity and restorability of the backup is beyond the scope of this guide. Start Windows Server Backup console. place a check beside the dedicated data disk for storing backups. James Svolos. the newly added data disk will not be formatted or initialized and can be easily identified because it will have no volumes listed in the Show All Available Disk dialog. but is strongly recommended.4. and click Ok Note: Any existing data on the selected disk will be destroyed. Henry Robalino. Place a check beside the data disk and click Next. SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. and/or SYSVOL. Verify all settings on the Confirmation page and click Backup to start a backup immediately 4. Jason Beck. and Joel Yoker "" . 10. right click Local Backup and select Backup Once… to start the Backup Once Wizard 2.3 Test Backup Settings 1. 3. The Select Destination Disk page should now display the data disk to be used for storing backups. Read the warning about disk reformatting and click Yes to use the selected data disk. On the Backup Options page. Alejandra Hernandez.

2. and Joel Yoker "" . Jim Phillipps.microsoft. Create Network Configuration Note: Change the server names highlighted in yellow and the corresponding IPv4 addresses.168. Microsoft Azure 4 Appendix: Configure Azure Virtual Networks and Site to Site VPN Gateway 4.com/ServiceHosting/2011/07/NetworkConfiguration"> <VirtualNetworkConfiguration> <Dns> <DnsServers> <DnsServer name="LocalDC" IPAddress="192.org/2001/XMLSchema" xmlns:xsi="http://www.1 Setup Virtual Network in Azure Create Affinity Group 13. Jason Beck. Henry Robalino.org/2001/XMLSchema-instance" xmlns="http://schemas.0/24</AddressPrefix> </AddressSpace> <Subnets> <Subnet name="Subnet-1"> SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. New-AzureAffinityGroup -Name <”Name”> -Location <”West US”>and press Enter.2. 4.w3.168. Type. <NetworkConfiguration xmlns:xsd="http://www.2 Configuration and Walkthrough Steps 4. Define Local Network and Create Virtual Network 14.1" /> </DnsServers> </Dns> <LocalNetworkSites> <LocalNetworkSite name="LocalNetwork"> <AddressSpace> <AddressPrefix>192. Alejandra Hernandez.168.5.0/24</AddressPrefix> </AddressSpace> <VPNGatewayAddress><Local Public IPv4 Number></VPNGatewayAddress> </LocalNetworkSite> </LocalNetworkSites> <VirtualNetworkSites> <VirtualNetworkSite name="VirtualNetwork" AffinityGroup="YourAffinity"> <AddressSpace> <AddressPrefix>192.1 Dependencies Install and configure Windows Azure PowerShell.w3. James Svolos. David Reynolds Stavan Patel. The green highlights are properties of the Azure virtual network. The yellow highlights are the properties of the on-premises network.5.

James Svolos. 17.2 Configure Local Edge Server Execution the VPN Device Script 1. Set-AzureVNetConfig -ConfigurationPath C:\AzureNetwork. Local Network. For the Vendor select.2. In the Azure Management Center -> Networks -> Virtual Network -> “VirtualNetwork”. To confirm completion. Copy and Paste the configuration in notepad and save as AzureNetwork. Type. Windows Server 2012 R2.cfg to . Note: The script will download as a . SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. On the Local Edge server.2.ps1.cfg file and will need to be changed to .168. Jim Phillipps. Henry Robalino. For the Operating System select. rename the downloaded VPN Device Script from .2.16/29</AddressPrefix> </Subnet> </Subnets> <DnsServersRef> <DnsServerRef name="LocalDC" /> </DnsServersRef> <Gateway> <ConnectionsToLocalNetwork> <LocalNetworkSiteRef name="LocalNetwork"> <Connection type="IPsec" /> </LocalNetworkSiteRef> </ConnectionsToLocalNetwork> </Gateway> </VirtualNetworkSite> </VirtualNetworkSites> </VirtualNetworkConfiguration> </NetworkConfiguration> 15.netcfg in C:\. David Reynolds Stavan Patel. 22. Microsoft Azure <AddressPrefix>192.168. 16. 19. 4. Download the VPN Device Script 20. Alejandra Hernandez. Jason Beck. and Joel Yoker "" .0/28</AddressPrefix> </Subnet> <Subnet name="GatewaySubnet"> <AddressPrefix>192.ps1. 23. 21. select download a VPN Device Configuration Script.netcfg and press Enter. type Get-AzureVNETGateway and Press Enter. Create a VPN Gateway in Azure 18. Microsoft. For the Platform select. Confirm the values match in the Azure Management Portal -> Networks -> Virtual Network. New-AzureVNetGateway –VNetName “VirtualNetwork” and press Enter Note: Creating the VPN gateway in Azure can take over thirty minutes after running the command. RRAS. Type.

SMB Azure Business Continuity and Disaster Recovery Prepared by Robert DeLuca. Alejandra Hernandez. Confirm completion by running.2. Microsoft Azure 2. Jason Beck. James Svolos. 3. Type. 4. 2. Henry Robalino. Set-ExecutionPolicy Unrestricted and press Enter. 3. Jim Phillipps. and Joel Yoker "" .3 Connect the Azure Gateway Connect the Gateway 1. Set-AzureVNetGateway -Connect –LocalNetworkSiteName <“LocalNetwork”> –VNetName <“VirtualNetwork”> and press Enter. Set the PowerShell Execute policy to Unrestricted. 4. Get-AzureVnetGateway –VNetName <VirtualNetwork>. David Reynolds Stavan Patel.ps1. Execute the downloaded VpnDeviceScript. Open the Windows Azure PowerShell as an Administrator. In Windows PowerShell (Administrator) type.