I want to connect on premises primary domain controller to Azure Additional domain controller, Can i use point to site VPN to establish connectivity both way.

Uzair Ahmed 1 Reputation point

My idea is to connect on-prem primary DC to azure secondary DC via VPN, Can I use point-to-site VPN connectivity to achieve the result.

Microsoft Entra
{count} votes

1 answer

Sort by: Most helpful
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee

    @Uzair Ahmed

    Thank you for your query. From your query, I understand that you have two domain controllers where one is on-premise and another is on the Azure Cloud. You would like to use Azure P2S VPN to connect the two domain controllers .

    You can do it however it can be hassle depending upon how you set it up . At this point we will consider only 2 domain controllers scenario with on-prem DC ; one in Azure being DC2 and another in on-prem called DC1 . Lets also say that the Azure VM is the machine is the one which is already a domain controller at this point .You need to configure your Azure Virtual network beforehand an setup the domain controllers IP address in the custom DNS section .


    In order to setup a P2S connection you will first need to have the virtual network of your domain controller in azure connected to the Azure virtual network gateway . On the virtual network gateway you can setup point-to-site configuration . Here we set an IP address pool . This pool is the list of IP addresses , from which the IP address will be provided to your on-premise DC which would create a P2S connection.


    When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. Plan your network configuration accordingly.

    You need to make sure that the IP range defined in the address pool above is not same as the local IP subnet range to avoid network conflict. Now lets say that we already have a Domain controller DC2 running in Azure within a VNET2 connected to the Virtual network gateway in Azure. In on-premise we have DC1 where we will be setting up the Azure P2S client as downloaded from the above page. Once we start a point to site VPN connection , the DC1 will get a new IP address and from the address pool as defined on the Virtual Network gateway P2S config on Azure.

    Once this is connected you will need to point to the DNS address of DC2 in Azure in order to install the domain controller role on the on-premise machine called DC1 . Make sure that you install the DNS role as well along with domain controller role on DC1 in on-prem here while configuring this . Once the DNS data is replicated , Make sure that the service record of the DC are registered in the DNS against IP address received from the Azure P2S service and not the local DNS service. Netlogon registers the service records on every domain controller . Now after the first time setup the DC will need to be rebooted once. Make sure you setup the machine to point to itself for Primary DNS . Check the forward lookup zone for your domain in the DNS management console.


    Now reboot the machine . Once rebooted you will have to reconnect the P2S VPN . Now the fun begins here because the IP address that your DC1 will get may not be same as earlier because there could be other P2S connection which would get the last VPN IP from the address pool . Here getting the same IP is important for things to be smooth else you will see issues with replication of AD database , Sysvol replication , DNS data etc. You can use the following command to register the new service records in the DNS using the new VPN IP obtained in P2S connection or restart the netlogon service on the on-premise DC1 domain controller.

    nltest /DSREGDNS /SERVER:<servername>

    DC needs to register all the service records like tcp Kerberos ldap etc. in the DNS every time the IP is updated. Along with that you will need to create a subnet related to the DC in Azure and make sure that the site links are created only for the DC from which you have P2S connectivity setup. If you have only these 2 domain controllers then it would work because there is no other Active directory site in the AD configuration . However if you have multiple domain controllers , you may see replications errors periodically whenever there is a change in IP address. So you can run this setup but it is not something I would recommend to do . In this setup since the IP will be changing so you will be fixing AD replication and sysvol replication error most of the times if restarting netlogon service on the domain controller did not immediately register the service record and fixes the errors automatically .

    Alternately if your question was around Azure AD domain services since you have used that tag to ask the question , I do not think you will be able to add an Azure based domain controller . Azure AD domain services is a on-premise Domain controller like service maintained in Azure where you get limited access to connect to the domain controller to manage it , but the host Virtual machines hosting these domain controller roles are managed by Azure. In this case you have 2 domain controllers and you can not add another one to this system . It is not designed to be a on-premise Active directory replacement but a way for originations to use applications which use legacy authentication using Kerberos/NTLM etc. You can read more after checking the linked article and if this was not related to your query , please ignore this part.

    Hope the details in this answer helped you . If the information provided in this answer was helpful , please accept this post as answer which will help others in the community searching for similar queries, In case you have further queries , please let us know and we will be happy to help .

    Thank you .


    • Please don't forget to click on 130616-image.png whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    1 person found this answer helpful.
    0 comments No comments