Design 8: Active Directory Basics (RBAC)

Summary

This design covers Azure Active Directory (Entra ID) and RBAC.

Topology: Identity is global, but we deploy Domain Controllers in the Hub VNet for legacy auth.

1. Key Design Decisions (ADR)

ADR-01: Identity Provider

Decision: Entra ID.
Rationale: The cloud identity standard.

ADR-02: Legacy Auth

Decision: AD DS on VMs.
Rationale: Needed for legacy apps (Kerberos/NTLM).

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  User        |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Login)     |           |      (Identity)          |           |  (App)       |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Entra ID    |           +------------+-------------+           +------+-------+
|  (Cloud)     |---------->| Domain Controller        |<--------->|  VM          |
+--------------+           | (AD DS)                  |           |  (Joined)    |
                           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Subnet: Identity      |                                           |
|   | [DC-01] [DC-02]       |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-app-spoke (10.1.0.0/16)                              |
|   +-----------------------+                                           |
|   | VM (Domain Joined)    |                                           |
|   | DNS: 10.0.1.4 (Hub)   |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR HUB VNet                                                           |
|   +-----------------------+                                           |
|   | [DC-03] (Replica)     |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

DC: Windows Server running AD DS.

5. Strategy: High Availability (HA)

DCs: Deploy 2 DCs in Availability Set.

6. Strategy: Disaster Recovery (DR)

Implementation: Multi-Region DC.
Process: Deploy DC-03 in West US. AD replicates automatically.

7. Strategy: Backup

AD: System State Backup.
Recycle Bin: Enable AD Recycle Bin.

8. Strategy: Security

NSG: Lock down DC subnet.

9. Well-Architected Framework Analysis

Reliability: High.
Security: High.
Cost Optimization: Medium.
Operational Excellence: High.
Performance Efficiency: High.

10. Detailed Traffic Flow

1. Boot: Spoke VM boots.

2. DNS: Asks Hub DC (10.0.1.4) for SRV record.

3. Login: User logs in. VM contacts DC for Kerberos ticket.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Hub VNet (Prerequisite)

*Ensure vnet-hub exists as per Design 5.*
Subnet: Ensure snet-identity (10.0.1.0/24) exists in vnet-hub.

Phase 2: Deploy Domain Controller VM

1. Search: "Virtual machines" -> + Create.

2. Resource Group: rg-hub-identity.

3. Name: vm-dc-01.

4. Region: East US.

5. Image: Windows Server 2019 Datacenter.

6. Size: Standard_B2s (Cost effective for DC).

7. Networking:

* VNet: vnet-hub.

* Subnet: snet-identity.

* Public IP: None.

8. Create.

Phase 3: Install AD DS (via Bastion)

1. Connect to vm-dc-01 via Azure Bastion.

2. Open Server Manager.

3. Manage -> Add Roles and Features.

4. Select Active Directory Domain Services.

5. Complete the wizard and Install.

6. Post-deployment Configuration:

* Click the flag icon (Notifications).

* Promote this server to a domain controller.

* Add a new forest: Root domain name corp.contoso.com.

* Set DSRM password.

* Install (Server will reboot).

Phase 4: Configure VNet DNS

1. Get the Private IP of vm-dc-01 (e.g., 10.0.1.4).

2. Go to vnet-hub -> DNS Servers.

3. Custom: Enter 10.0.1.4.

4. Save.

5. *Repeat for any Peered Spoke VNets so they can resolve the domain.*

Phase 5: Join a Spoke VM to Domain

1. Deploy a VM in a Spoke VNet.

2. Ensure Spoke VNet DNS is pointing to 10.0.1.4.

3. Login to Spoke VM.

4. System Properties -> Change settings -> Domain.

5. Enter corp.contoso.com.

6. Enter Domain Admin credentials.

7. Restart. Success!