Note:

Integrate Oracle Cloud Infrastructure Compute Instances to Microsoft Entra Domain Services Managed Domain

Introduction

In modern multicloud and hybrid cloud environments, effective network management and seamless integration between different cloud services are crucial. One such integration challenge is joining an Oracle Cloud Infrastructure (OCI) Compute instance to Microsoft Entra Domain Services (formerly known as Azure Active Directory Domain Services). This set up allows organizations to leverage Microsoft’s robust identity management capabilities while running compute workloads on OCI.

To accomplish this, it is essential to properly configure the network infrastructure, including virtual cloud networks (VCNs), subnets, routing tables, and establishing a network connection between OCI and Microsoft Azure. This connection can be achieved using either a OCI Site-to-Site VPN or dedicated interconnect solutions like OCI FastConnect and Azure ExpressRoute. Additionally, managing Dynamic Host Configuration Protocol (DHCP) options in OCI to point to the correct Domain Name System (DNS) servers of Microsoft Entra Domain Services is a critical for domain-joining operations.

This tutorial provides a guide to set up network configurations to enable OCI instances to join Microsoft Entra Domain Services. We will deploy VCNs, establish a site-to-site VPN between OCI and Azure, configure route tables for inter-cloud communication,create and associate DHCP option sets or with forwarding rules to Azure Managed adds service IP’s in DNS resolver in OCI, deploy compute instances, and verify the connectivity and domain join process. By following these tasks, organizations can achieve seamless integration between OCI and Microsoft Azure, enabling a unified and secure multicloud environment.

OCI VPN

Objectives

Prerequisites

Task 1: Configure Site-to-Site VPN or Dedicated Interconnect between OCI and Microsoft Azure

To enable secure communication between OCI and Microsoft Azure, we use a site-to-site VPN. This VPN creates a secure tunnel over the internet, connecting OCI’s Virtual Cloud Network (VCN) with Azure’s Virtual Network (VNet). For organizations requiring high reliability, low latency, and dedicated bandwidth, OCI FastConnect is preferred. OCI FastConnect offers a private connection, bypassing the public internet for enhanced security and consistent performance. However, in this set up, we opt for the simplicity and cost-effectiveness of a site-to-site VPN, which is essential for integrating services like Microsoft Entra Domain Services. For more information, see VPN Connection to Azure.

  1. Create and configure VPN gateway in OCI.

    1. Log in to the OCI Console, go to Networking and select Dynamic Routing Gateway (DRG).

    2. Create a DRG and attach it to your VCN. For this tutorial, OCI VCN is 10.0.0.0/16.

    3. Set up a Customer-Premises Equipment (CPE) object with the Azure VPN gateway public IP address.

    4. Create an IPSec connection between the DRG and the Azure VPN gateway, using the provided IPSec configuration.

    OCI VPN

  2. Configure VPN gateway in Microsoft Azure.

    1. Log in to the Microsoft Azure Portal, navigate to Virtual Network Gateway.

    2. Create a VPN gateway in the Azure VNet. For this tutorial, Azure VNet is 10.2.0.0/16.

    3. Set up a local network gateway with the OCI VPN gateway’s public IP address.

    4. Establish an IPSec VPN connection to the OCI DRG using the configuration details from OCI.

    Azure VNG

Task 2: Set up Microsoft Entra Domain Services

After establishing the site-to-site VPN between OCI and Microsoft Azure, proceed with setting up Microsoft Entra Domain Services in Microsoft Azure. This service simplifies identity management with features like domain join and Lightweight Directory Access Protocol (LDAP), without needing traditional domain controllers.

  1. Deploy and configure Microsoft Entra Domain Services in Microsoft Azure.

    1. Deploy Microsoft Entra Domain Services using the Microsoft Azure Portal.

    2. Configure domain settings to meet organizational needs.

    3. Ensure to utilize a subnet within the same VCN where the site-to-site VPN with OCI is configured.

  2. Get the private IP addresses of Microsoft Entra Domain Services DNS servers.

    1. Note the private IP addresses of DNS servers linked with Microsoft Entra Domain Services.

    2. Configure these IPs for DNS resolution within OCI’s Virtual Cloud Network (VCN) to enable domain name resolution. Azure Entra Domain Service

Task 3: Configure DNS Resolution in OCI VCN

Configure DNS resolution within OCI’s Virtual Cloud Network (VCN) to enable domain name resolution. Use the same VCN where you have configured the OCI Site-to-Site VPN established with Microsoft Azure.

  1. Go to the OCI Console, navigate to Networking, Virtual Cloud Network and DNS Resolver.

    OCI DNS Resolver

  2. Create both listening and forwarding endpoints.

    1. Set up endpoints to forward DNS queries for the domain managed by Microsoft Entra Domain Services.

    2. Under Endpoints, click Create Endpoint to configure DNS forwarding.

    3. Enter the Name for the endpoint.

    4. Select a VCN subnet from the list (same VCN subnet for which you configured the site-to-site with Azure VNet) and select the Endpoint Type as Forwarding. Leave the optional fields and click Create.

    5. Repeat substeps 1 to 4 for listening endpoints.

    OCI DNS Endpoint

  3. Configure rules in OCI.

    1. Define rules to control DNS traffic within the VCN.

    2. Configure forwarding rules to direct queries for the domain managed by Microsoft Entra Domain Services to the endpoints created in Task 3.2.

    3. Under Rule condition, click Domains and Manage rules.

    4. In Domains, enter the domain created in Task 2.

    5. Under Source endpoint, select the endpoints created in Task 3.2.

    6. Enter the IP address of Microsoft Entra Domain Services noted in Task 2.

    7. Repeat substeps 1 to 6 for the second IP address.

    OCI DNS Rule

DNS resolution set up in OCI VCN ensures that OCI instances can securely resolve domain names managed by Microsoft Entra Domain Services over the established VPN connection to Microsoft Azure.

Note: If you want to make the Microsoft Entra Domain Servers as DNS servers of OCI Instnaces, then you can skip Task 3 and Edit the Default DHCP Options –> DNS Type: Select Custom Resolver –> Enter the DNS Servers IP address(Azure Domain Service IP’s) –> Select Custom Search Domain and under the Search Domain Mention the domain name of the “Created Microsoft Entra Domain Service”. Stop and Start all the servers of OCI to get reflected.

Task 4: Verify DNS Configuration and Network Connectivity

We have configured DNS resolution in OCI VCN and deployed VMs. Now, verify the set up and enable Internet Control Message Protocol (ICMP) ping to Microsoft Entra Domain Services IP from OCI Windows Server instances.

  1. Create Windows Server VM in OCI.

    1. Go to the OCI Console, navigate to Compute and Instances.

    2. Click Create Instance.

    3. Select Windows Server 2016 or 2019 Standard image from the available images.

    4. Specify the subnet where DNS resolution and VPN connectivity are configured.

    5. Configure other instance details as needed (shape, boot volume and networking).

  2. Configure network security rules in OCI.

    1. Go to the OCI Console, navigate to Networking and Virtual Cloud Networks (VCNs).

    2. Edit the security list associated with the subnet where your Windows Server VM is deployed.

    3. Add an ingress rule to allow TCP traffic on port 3389 (RDP) from your network.

    4. Add an ingress rule to allow ICMP traffic (ping) from Azure VNet CIDR range (10.2.0.0/16) to the IP address of Azure VM’s.

  3. Verify the network connectivity.

    1. Log in to the Windows Server VM in OCI.

    2. Open the command prompt and use the ping command to test connectivity to the private IP address of the Microsoft Entra Domain Services.

      Example commands:

      ping <Azure Entra Domain Service IP>

      ping <Azure Entra Domain>

      nslookup <Azure Entra Domain>

    Verify Domain Name Resolution in OCI Compute

    ICMP ping and nslookup test confirms connectivity between OCI Windows Server instances and Microsoft Entra Domain Services.

Task 5: Join Windows Server VM to Microsoft Entra Domain Services

After verifying DNS and network connectivity, the next task is to join your OCI Windows Server VM to Microsoft Entra Domain Services. Follow these steps to complete the domain join process.

  1. Access system properties.

    1. In Server Manager, click Local Server in the left pane.

    2. In the Properties section, click Computer Name/ WorkGroup, it will show system properties window.

  2. Join the domain.

    1. Click Change in the System Properties window.

    2. Select Domain and enter the Microsoft Entra Domain Services domain name.

    3. Click OK.

  3. Enter credentials.

    1. When prompted, enter the credentials of a user who is a member of the AAD DC Administrators group.
      • Use the format username@domain.com, Microsoft Entra ID users which are the members of admin group AAD DC Administrators.

    Join OCI Compute to Microsft Entra Domain

  4. Restart the VM to complete the domain join process.

By following these tasks, your Windows Server VM in OCI will be joined to Microsoft Entra Domain Services.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.