As you know, there is no thing such as magic, if your datacenter is down, with your AD FS farm in it, all your users will fail login on Office 365. This mean no email, no OneDrive, no SharePoint, no Lync, that can be pretty annoying.
You have several solutions to solve this potential issue:
- Synchronize the passwords and do not use domain federation.
- AD FS farm split on distinct physical sites.
- Install domain controllers in Azure IaaS with and your AD FS farm next to it.
In this article we’ll focus on the third option. Microsoft support installing domain controllers in Azure IaaS in certain conditions.
You need to put your Active Directory database and logs on a separate hard disk drive with cache disabled. Indeed, just like traditional deployment, Active Directory do not use HDD cache, it requires to write directly on it to avoid consistency issues and USN rollback.
You can see if your disks have cache enabled on Azure with :
Get-AzureVM -Name DC1 -ServiceName ServiceName | Get-AzureDataDisk
Here, we see that “HostCaching” is disable, that’s what you need for Microsoft to support your deployment.
You can also see it through the GUI, in your virtual machine dashboard :
You can disable the cache when you create a data disk :
Get-AzureVM -Name DC1 -ServiceName ServiceName| Add-AzureDataDisk -CreateNew -DiskSizeInGB 1 -DiskLabel 'AD' -HostCaching None -LUN 1 -Verbose | Update-AzureVM
You can then use that disk to deploy Active Directory database and logs on it.
Remember : you cannot install DirSync on your domain controllers, you’ll need a separate VM, or AADSync.
In addition, you need to know that Microsoft Azure is in charge of IP distribution, you do not need to set a fixed IP inside the VM, you need to set it at the virtual network level in your Azure subscription :
And keep DHCP enable inside the VM, it will inherit from your virtual network :
