Can I connect an on premises Windows 10 machine through Azure VPN Gateway - Basic - to a DC in Azure -P2S - this is a student lab. We don't have Azure AD Tenant. Just a point to site connection with certificate authentication.

Question

Can I connect an on premises Windows 10 machine through Azure VPN Gateway - Basic - to a DC in Azure -P2S - this is a student lab. We don't have Azure AD Tenant. Just a point to site connection with certificate authentication.

Dave 20

We have a student lab setup - students have servers in Azure and have configured Azure VPN Gateway with the Basic SKU. We can connect Windows 10/11 machines to Azure with tunnel using self signed certificates. We can ping the server in Azure and can see file shares like \10.0.0.4\sharedfolder\file.txt

We would like to connect the client to the server in Azure after promoting the Server in Azure to a domain controller. Is this possible? How do you set the DNS configuration of the VPN Tunnel? The settings for subnet IP are for a 172.x.x.0/27 type address.

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-29T05:01:26.01+00:00

@Dave

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
Dave 20 Reputation points

2023-05-30T18:01:57.9266667+00:00

So, I thought I would follow up. The setting I changed on the Azure Portal was under Virtual Network - switched DNS to custom and put in the internal 10.0.0.4 address of my DC. Now when I connect to the VPN Gateway tunnel from Windows 10 I can "see" the domain when the tunnel is connected. I switched from a Workgroup to the domain name of the DC that is in Azure. The DC in Azure shows the client in Computers in the ADUC console. Success! At least for this part of the lab assignment.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-31T03:46:37.8133333+00:00

@Dave

Glad to hear that :).

I have converted my comment to an answer now.

Please do let me know if you have any follow-up questions, and I shall be glad to address them as always.

If not, please Accept the answer and close this thread

Cheers,

Kapil
Dave 20 Reputation points

2023-05-31T15:56:55.9933333+00:00

So, my earlier excitement has been dampened. By using the Custom DNS setting on the Virtual Network setting I was able to join the computer to the domain, BUT -- I can't logon to the domain with a domain user account since the tunnel connection isn't persistent. I need to logon to the local user account on the client, start the tunnel first. I have tried creating a batch file to start the tunnel, but it doesn't seem to work yet. In the "real world" you would probably use an Azure AD Tenant. We can't create those in the student lab setup. We logon to Azure using our .edu credentials but are authenticated by our Azure and our college Active Directory, so if we try to create a tenant it says we don't have the rights to do so. I thought certificate authentication to the VPN Gateway would be a good alternative, and it is for file access. It has been a good learning experience for my students.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-31T16:14:23.0933333+00:00

@Dave

I understand your scenario now.

However, had you informed this requirement in your initial question, I would have pointed this out earlier.

I was hoping that you just wanted to know about the connectivity part.

The authentication part is quite different and it is not a recommended approach to use Azure VMs as DC to authenticate the clients, as this would require you to be already connected to the tunnel like you said.

Azure AD Tenant works differently as the authentication will happen via Internet and not the P2S Tunnel.

If your main goal is file access, then yes, certificate authentication should do the trick.

Cheers,

Kapil

Accepted answer

0 additional answers

Your answer

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-29T05:01:26.01+00:00

@Dave

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
Dave 20 Reputation points

2023-05-30T18:01:57.9266667+00:00

So, I thought I would follow up. The setting I changed on the Azure Portal was under Virtual Network - switched DNS to custom and put in the internal 10.0.0.4 address of my DC. Now when I connect to the VPN Gateway tunnel from Windows 10 I can "see" the domain when the tunnel is connected. I switched from a Workgroup to the domain name of the DC that is in Azure. The DC in Azure shows the client in Computers in the ADUC console. Success! At least for this part of the lab assignment.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-31T03:46:37.8133333+00:00

@Dave

Glad to hear that :).

I have converted my comment to an answer now.

Please do let me know if you have any follow-up questions, and I shall be glad to address them as always.

If not, please Accept the answer and close this thread

Cheers,

Kapil
Dave 20 Reputation points

2023-05-31T15:56:55.9933333+00:00

So, my earlier excitement has been dampened. By using the Custom DNS setting on the Virtual Network setting I was able to join the computer to the domain, BUT -- I can't logon to the domain with a domain user account since the tunnel connection isn't persistent. I need to logon to the local user account on the client, start the tunnel first. I have tried creating a batch file to start the tunnel, but it doesn't seem to work yet. In the "real world" you would probably use an Azure AD Tenant. We can't create those in the student lab setup. We logon to Azure using our .edu credentials but are authenticated by our Azure and our college Active Directory, so if we try to create a tenant it says we don't have the rights to do so. I thought certificate authentication to the VPN Gateway would be a good alternative, and it is for file access. It has been a good learning experience for my students.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-05-31T16:14:23.0933333+00:00

@Dave

I understand your scenario now.

However, had you informed this requirement in your initial question, I would have pointed this out earlier.

I was hoping that you just wanted to know about the connectivity part.

The authentication part is quite different and it is not a recommended approach to use Azure VMs as DC to authenticate the clients, as this would require you to be already connected to the tunnel like you said.

Azure AD Tenant works differently as the authentication will happen via Internet and not the P2S Tunnel.

If your main goal is file access, then yes, certificate authentication should do the trick.

Cheers,

Kapil

Answer 1

@Dave

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Can you please elaborate on what you mean by "How do you set the DNS configuration of the VPN Tunnel?".

To answer your questions,

We would like to connect the client to the server in Azure after promoting the Server in Azure to a domain controller. Is this possible?
1. Yes
2. The Azure VM being a DC has no effect on the plain network connectivity
3. You should be able to ping and TcpPing the VM from P2S clients nevertheless.
How do you set the DNS configuration of the VPN Tunnel?
1. I assume that you would like the Remote P2S Clients to use this VM(DC) as DNS servers
2. I believe the above is your requirement, if not, please do let me know
3. Now, you can make requests to certain domain go to a VM in Azure - This is doable.
4. For this, you have to edit the configuration files
  1. Add DNS Suffix - If your domain is contoso.com, you must add <dnssuffix>.constoso.net</dnssuffix>
  2. Add Custom DNS Servers - You must add the DC server IP <dnsserver>x.x.x.x</dnsserver> which will resolve your DNS queries.
  POINT TO NOTE:

The above are only supported for OpenVPN protocol connections.
I see you have mentioned to have use Basic SKU
So please upgrade to a SKU that supports OpenVPN

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Share via

Can I connect an on premises Windows 10 machine through Azure VPN Gateway - Basic - to a DC in Azure -P2S - this is a student lab. We don't have Azure AD Tenant. Just a point to site connection with certificate authentication.

0 additional answers

Your answer