Create Azure VM with Windows Firewall ports open?

Question

I'm working on a Powershell script that will automate setting up an Azure VM, adding it to my Active Directory domain, and setting up a number of other settings.

The idea is to be able to spin up and kill off VMs as needed without any manual interaction (including not having to log on with RDP).

Here's the Powershell command that I use to create the VM. This works fine:

$vm = New-AzVM `
    -ResourceGroupName $resourceGroup `
    -Location $LocationName `
    -Name $VMName `
    -Credential $Credential `
    -VirtualNetworkName $NetworkName `
    -SubnetName $SubnetName `
    -PublicIpAddressName $VMName `
    -SecurityGroupName "name_of_existing_nsg" `
    -OpenPorts 80,135,3389 `
    -Image "MicrosoftWindowsServer:WindowsServer:2019-Datacenter-smalldisk:latest" `
    -Size $VMSize `
    -DefaultProfile $context

I'm adding the VM to an existing network, subnet and network security group that will allow pretty much any communication internally.

The script runs from a VM on the same subnet.

However, once I've created the VM, I want to add it to my domain. I've tried the following steps without success:

• Add-Computer does not work because I can't connect to the required RPC ports on the VM's Windows Firewall. The NSG rules are fine, but I don't know how to create the VM with those ports opened in Windows Firewall. Using the local IP address instead of a DNS name does not help.

 Add-Computer `
    -DomainName "fully-qualified-domain" `
    -Credential $domainCredential `
    -LocalCredential $Credential `
    -ComputerName $nic.IpConfigurations[0].PrivateIpAddress `
    -Server "dc01.fully-qualified-domain" `
    -Restart `
    -Force

 Add-Computer : Cannot establish the WMI connection to the computer '10.1.2.3' with the following error message: The
 RPC server is unavailable. (Exception from HRESULT: 0x800706BA).
At line:1 char:1
+ Add-Computer `
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (10.1.2.3:String) [Add-Computer], InvalidOperationException
    + FullyQualifiedErrorId : AddComputerException,Microsoft.PowerShell.Commands.AddComputerCommand

• Use a VM Extension to add the VM to my domain (not an Azure domain, but one that runs on Azure VMs). I haven't figured out if there is such an extension or how to make it work.
• Use a VM Extension that allows me to run local commands from the VM (like opening firewall ports or even adding it to the domain directly).

I'm not really keen on creating a custom VHD image. I'd much rather be able to start from a standard Microsoft template if this is possible.

Answer 1

Turns out, there's a script extension that can grab a script from a blob storage and run that script on the VM. Store this script in your blob storage:

Import-Module Microsoft.PowerShell.Management

# Add the computer to the domain

# Domain account that will add the VM to the domain:
$domainUser = "some-automation-account@fully-qualified-domain"
$domainUserSecurePassword = ConvertTo-SecureString "password" -AsPlainText -Force

$domainCredential = New-Object `
    System.Management.Automation.PSCredential ($domainUser, $domainUserSecurePassword);

Add-Computer `
    -DomainName "fully-qualified-domain" `
    -Credential $domainCredential `
    -ComputerName (Get-ComputerInfo).CsName `
    -Server "dc01.fully-qualified-domain" `
    -Restart `
    -Force 

... and start the script on the VM with the following Powershell command:

Set-AzVMCustomScriptExtension `
    -Name "CustomScriptExtension" `
    -ResourceGroupName $resourceGroup `
    -VMName $VMName `
    -Location $LocationName `
    -StorageAccountName $scriptStorageAccount `
    -StorageAccountKey $scriptStorageKey `
    -ContainerName "powershell-scripts" `
    -FileName "setup-vm.ps1" `
    -Run "setup-vm.ps1"

More detailed example that I used as a template to make it work.

Answer 2

Azure Automation DSC works a dream for all of this. I have a base config which would probably help if you want a copy?