0

I am really new with Active Directory, and I am trying out to setup an Active Directory on a Windows 2016 Azure VM, and then expose the Controller to the Internet, so I can join a PC into the directory. Since this is only for testing purposes, security does not matter.

I followed the steps in creating an Active Directory in the VM from this link: http://pc-addicts.com/setup-active-directory-server-2016/

I also have my own domain, but for this question I'm gonna hide it as testdomaincontroller.com The computer name is adreg, so the server became adreg.testdomaincontroller.com

During my testing, the Root Domain Name I have used is: testdomaincontroller.com

Now I wanted to expose the active directory into the public so I can join a PC to the Domain Controller. I can't find any documents or tutorial on how to do this, so what are the steps needed for this? What should be added on my hoted DNS record zone so that a sample Windows 10 PC can join into the domain? What port should be exposed into the NSG, and be allowed in the VM firewall?

weyhei
  • 155
  • 1
  • 8

1 Answers1

0

In the future, when spinning up a real domain, you should use a subdomain of your registered domain as your domain's FQDN. As it is, you should probably go back and do that. While this is a bad idea (even for testing).

I would start over from scratch using ad.testdomaincontroller.com. I would create a DNS delegation in your public DNS zone for ad.testdomaincontroller.com to point to the IP address of your soon-to-be DNS server. Then I would re-do the process using the new name, and let the Domain Controller (acting as the DNS server for the new domain) create all of the necessary service records for the domain. Without this part, you'll be forced to manually create a bunch of subdomains, sevice locator records and A records - just don't bother with that. Its not feasible, and for a test environment it is likely more pain than it is worth.

You will likely not find any documentation about how to expose your Domain Controller over the public internet, because that is not a valid or desireable configuration.

Here is a detailed blog post by Ace Fekay detailing which ports are required for DC to DC communication and client to DC communication: https://blogs.msmvps.com/acefekay/category/dc-to-client-communications-firewall-ports/

Here are some additional details about running AD over a NAT, just for reference: https://support.microsoft.com/en-us/help/978772/description-of-support-boundaries-for-active-directory-over-nat

Semicolon
  • 1,646
  • 7
  • 7
  • Thank you very much. I was able to create an AD Domain Controller in an Azure VM and is publicly visible on the internet. – weyhei Jul 16 '19 at 12:18