1

Using Point-to-Site connection, I planned to connect Windows 10 (on-premises) and Windows Server 2016 on Azure so that Windows 10 (on-premises) can join Windows Server 2016 Domain Controller.

I am trying to elaborate steps that I followed:

Step1: Create a Resource Group, say SkyTech with the Region East US.

a). Create an Availability Set, say 1ASet.SkyTech with details as

Resource Group: SkyTech

Region: East US

Fault domains: 2 (default)

Update domains: 5 (default)

Use managed disks: Yes(Aligned) (default)

b). Create a Virtual network, say, 1VNet.East with details as

Address space: 15.0.0.0/25

Resource Group: SkyTech

Location: East US

Subnet: 1SubNet.East

Address range: 15.0.0.0/26

DDoS Protection: Basic (default)

Service endpoints: Disabled (default)

Firewall: Disabled (default)

c). Create Gateway subnet for the virtual network 1VNet.East with details as

Address range: 15.0.0.128/28 (selected automatically)

Network security group: None (default)

Route table: None (default)

Service endpoints: 0 selected (default)

Subnet delegation: None (default)

Step2: Create virtual network gateway with details as

Name: SkyTech.EastUS

Region: East US

Gateway type: VPN

VPN type: Route-based

SKU: Basic

Virtual network: 1VNet.East

Gateway subnet address range: 15.0.0.128/28 (selected automatically)

Public IP address: Create new

Public IP address: SkyTech.Pub.IP

Public IP address SKU: Basic (selected automatically)

Assignment: Dynamic (selected automatically)

Enable active-active mode: Disabled (default)

Configure BGP ASN: Disabled (default)

Step3: Generate and export certificates of the Windows 10 (on premises) computer.

a). Create a self-signed root certificate

b). Generate a client certificate

Step4: Export the root certificate public key (.cer)

Step5: Export the self-signed root certificate and private key to store it

Step6: Configure Point-to-Site Configuration in the Virtual Network Gateway

Added Address Pool like 172.16.25.0/24

Added Root Certificates and Public Certification Data of the desktop computer (on the premises).

Clicked Save and then Download VPN client.

Step7: Installed VPN client in the desktop computer (on premises)

Connected VPN.

In the ipconfig, the desktop computer is showing the address from the Address Pool (172.16.25.0/24) under PPP Adaptor.

Steps8: Create virtual machine

Resource group: SkyTech

Virtual machine name: SkyTech.EastUS

Region: East US

Availability option: Availability set

Availability set: 1ASet.SkyTech

Image: Windows Server 2016 Datacentre

Authentication type: Password

Username: Admin.SkyTech

Password: Admin@123

Confirm password: Admin@123

Public inbound ports: Allow selected ports

Select inbound ports: RDP

Already have a Windows Server license: No

Disk options (OS disk type): Premium SSD

Virtual network: 1VNet.East

Subnet: 1SubNet.East

NIC network security group: Basic

Accelerated networking: Off

Place this virtual machine behind an existing load balancing solution: No

Boot diagnostic: Off

OS guest diagnostics: Off

System assigned managed identity: Off

Enable auto-shutdown: Off

Enable backup: Off

Step9: Static IP the virtual machine

In virtual machine, Settings > Networking

There are NIC Public IP: 40.82.x.x and NIC Private IP: 15.0.0.4

Click 40.82.x.x > Settings > Configuration

Assignment: Static

Then, Save

Steps10: Created DNS Server at the VNet level as follows: enter image description here Used 15.0.0.4 as a Private IP in Custom.

I tried all above steps about times in the order of Step1 to Step10.

The issue is:

From Windows 10 (on-premises) computer, I am able to connect Windows Server 2016 VM SkyTech.EastUS using RDP with Public IP and with Private IP both.

But both (Windows 10 and Windows Server 2016) are not pinging each other so that I can join Windows 10 to Windows Server 2016 Domain Controller.

Moreover, after all Steps (From Step1 to Step10), I added role of Active Directory Domain Services and promoted Windows Server 2016 as a Domain Controller.

Then, I tried to join Windows 10 to Windows Server 2016 Domain Controller. I see error message as follows:

enter image description here

Please let me know, what I need and where I am wrong.

Regards

TekQ

TekQ
  • 25
  • 7

2 Answers2

0

you need your vm to be able to talk to the domain controller and you vm to be able to resolve the dns name of your domain to one of the domain controllers. Usually you just specify on or more of your domain controllers as dns servers for the vm.

Alternatively you can set them at VNet level, so the settings are applied to all the VMs in the Vnet.

For connectivity you can use Vnet peering or Site-to-Site VPN.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
0

Two points you have to do:

  • Deploy a DNS server. Usually, you could do this via adding a DNS role in the DC VM or another server in the same VNet. Specify the DNS server private IP address in the DNS servers of Azure VNet on the Azure portal.
  • Create a Azure VPN gateway to connect between the on-premise network and Azure VNet. In this case, for one or fewer clients, you could use a P2S VPN gateway. For a corp, you could use the S2S VPN gateway. This way needs a VPN device.

Once the VPN gateway set up and you can ping the Azure VM via private IP address, then you could join the desktop to the ADDC domain. Note, once you update the DNS or other settings in the Azure VNet, you have to re-download the VPN client to make the local DNS or route update if you have a P2S gateway.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • thank you for your effort. The link http://dataap.org/blog/2017/05/05/connect-azure-virtual-machines-on-a-same-domain/ says about adding the domain control IP address at Network Interface of DNS Server on Azure Portal. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways says about virtual network gateway. – TekQ Feb 28 '19 at 18:32
  • Theoretically I know Windows Server 2016 VM and Windows 10 Pro desktop must be able to ping each other and after then Window 10 Pro can join Windows Server 2016 VM. – TekQ Feb 28 '19 at 18:33
  • Theoretically Its okay but I am unable to understand how to start it practically. The Public IP of Windows Server 2016 is 104.x.x.x, Private IP is 10.x.x.x and the IP assigned on Windows 10 Pro desktop computer is 192.168.x.x. Please guide me what & how I need to setup practically. – TekQ Feb 28 '19 at 18:34
  • Check another [SO](https://stackoverflow.com/questions/54167112/is-it-possible-to-join-a-local-windows-machine-on-premises-to-a-windows-server) for details. and [P2S VPN configuration](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal). – Nancy Mar 01 '19 at 03:23
  • I have gone through the link https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal. While creating a virtual network gateway, Public IP Address is required. The link says, specify the public IP address object that gets associated to the VPN gateway. How do I know, what public IP address will get associated to the VPN Gateway? – TekQ Mar 05 '19 at 22:48
  • Just click create a new public IP when you deploy the VPN gateway on the Azure portal, just need following that link, Azure will dynamically assign a PIP for your VPN gateway. – Nancy Mar 06 '19 at 01:15
  • I uploaded an image. Pls look and guide me which type of public IP address should I use? Can I use any random public IP address or any criteria? – TekQ Mar 06 '19 at 21:43
  • It's just a name for a public IP address, you can use any string between 1-80 characters. For example, give a name `vm-pip`, It will show the name when you find the IP resources in your resource group after created the VPN. – Nancy Mar 08 '19 at 01:22
  • Sorry for delay in response. I have gone through steps explained in various links but the issue is not resolved. – TekQ Aug 20 '19 at 21:41
  • I can do it via the steps, maybe you can contact MS support for direct support. It's difficult to help you on the forum with few information on your side. – Nancy Aug 21 '19 at 01:09
  • Let me know, what other information is required from my side? I'll try to provide more information. – TekQ Aug 21 '19 at 13:56
  • Do you specify the DNS server private IP address in the `DNS servers` of Azure VNet on the Azure portal refer to [this](http://dataap.org/blog/2017/05/05/connect-azure-virtual-machines-on-a-same-domain/)? If the network connectivity is well, consider if the on-premise client could lookup the DC via DNS, you should have a DNS server role on the Azure VM in the Azure vnet. – Nancy Aug 28 '19 at 09:35
  • I edited my question for elaborating steps I followed. Pls guide me accordingly. – TekQ Aug 29 '19 at 22:34
  • Please hide your admin or password info or other sensitive data. Do you join the VM via UI? Is there any error message when you join the domain? When a VPN connection is connected, can you see the DNS server is15.0.0.4 in `ipconfig/all` on the VPN client? If you set up DC and DNS role on Azure VM, you can refer to [this1](https://azure.microsoft.com/en-us/resources/videos/create-vms-to-run-domain-controller-and-dns-server-roles/), if you join an Azure VM to an on-prem Active Directory. You can refer to [this2](https://4sysops.com/archives/join-an-azure-vm-to-an-on-prem-active-directory/). – Nancy Aug 30 '19 at 04:42
  • I know admin and password are sensitive date. Both are just for an example. I paraphrased step 10 and edited my question with error message. I checked at VPN client only by ipconfig. In the ipconfig, the VPN client is showing the address from the Address Pool (172.16.25.0/24) under PPP Adaptor. Once again, I do the setup and check ipconfig/all. Pls let me know, what I need to check more. – TekQ Aug 30 '19 at 05:35
  • Do you see the dns server IP under PPP Adaptor when `ipconfig/all`? And what's your DNS server, you should have a DNS role in this DC machine or other VM on the same Vnet. Is there an `A` record in the DNS zone `skytechdc.com`? Also you can check the details in that error message. – Nancy Aug 30 '19 at 05:54