Azure VM, Active Directory and a Dedicated Disk
Installing the AD DS role onto a Azure virtual machine? Creating a Domain Controller in the cloud? Are you sure you want to do this?
For all Domain Controllers you create on an Azure virtual machine, in addition to the system OS disk (C:\) you MUST add a dedicated disk and ensure thatyour AD DS install wizard or script uses this dedicated disk as the location for both the Active Directory database (NTDS) and the replicated system volume (SYSVOL) during the Role installation.
IMPORTANT: For this dedicated disk ensure that the ‘Azure Disk Host Cache’ is set to NONE
Failure to do this risks the corruption of your Active Directory database.
The relevant Microsoft documentation can be found here https://msdn.microsoft.com/en-us/library/azure/jj156090.aspx?f=255&MSPPError=-2147217396
I’ve extracted the exact section below, saves you going through the whole web page above:
“Data disk drives do not cache writes by default. Data disk drives that are attached to a VM use write-through caching. Write-through caching makes sure the write is committed to durable Azure storage before the transaction is complete from the perspective of the VM’s operating system. It provides durability, at the expense of slightly slower writes.
This is important for Windows Server AD DS because write-behind disk-caching invalidates assumptions made by the DC. Windows Server AD DS attempts to disable write caching but it is up to the disk IO system to honor it. Failure to disable write caching may, under certain circumstances, introduce USN rollback resulting in lingering objects and other problems.
As a best practice for virtual DCs, do the following:
- Set the Host Cache Preference setting on the Azure data disk for NONE. This prevents issues with write caching for AD DS operations.
- Store the database, logs, and SYSVOL on the either same data disk or separate data disks. Typically, this is a separate disk from the disk used for the operating system itself. The key takeaway is that the Windows Server AD DS database and SYSVOL must not be stored on an Azure Operating System disk type. By default, the AD DS installation process installs these components in %systemroot% folder, which is NOT recommended for Azure.”