Skip to main content
Version: Next

Active Directory Authentication - Portal Deployment

DOCUMENT CATEGORY: Runbook SCOPE: Portal-based cluster deployment with Active Directory authentication PURPOSE: Deploy Azure Local cluster using domain accounts and AD-managed identity MASTER REFERENCE: Microsoft Learn — Deploy Azure Local via Portal

Runbook Azure

[Standard](https://Azure Local Cloud.com)

Status: Active Estimated Time: 2–3 hours Last Updated: 2026-03-09

Overview

Active Directory deployment is the Azure Local Cloud standard for Azure Local clusters. Authentication is managed through domain accounts, with the Life Cycle Manager (LCM) service account pre-created in AD. Nodes must be in workgroup state when the portal wizard runs — the wizard handles domain join automatically during deployment.

Azure Local Cloud Standard Deployment

Active Directory authentication is the recommended and fully supported Azure Local Cloud deployment method for Azure Local. All AD object prerequisites were completed in Phase 02 (Active Directory Configuration). If that work is not done, stop and complete Phase 02 first.

Prerequisites

All items below must be complete before starting the portal wizard. These were completed in earlier phases — this is a verification checklist only.

AD Prerequisites (Phase 02)

RequirementDescriptionValidation
AD objects pre-createdNew-HciAdObjectsPreCreation run successfullyObjects visible in OU=AzureLocal
LCM service accountsvc-azl-deploy@<DOMAIN> exists, password ≥14 charsGet-ADUser svc-azl-deploy
Computer accountsPre-created computer objects for each node in designated OUGet-ADComputer -SearchBase <OU>
Group membershipsLCM account in all required AD groupsGet-ADGroupMember

Node Prerequisites (Phase 04)

RequirementDescriptionValidation
Workgroup stateNodes are NOT domain-joined(Get-WmiObject Win32_ComputerSystem).PartOfDomain = False
Arc registeredAll nodes visible in Azure Arc > ServersPortal: Arc > Servers
DNS resolves domainAll nodes can resolve the AD domain FQDNResolve-DnsName corp.azurelocal.cloud
DC accessibleDomain controller reachable on port 389 from node management IPsTest-NetConnection <DC_IP> -Port 389
WinRM enabledRemote management enabled on all nodesTest-WSMan <NODE_IP>
Nodes must be in workgroup state

Azure Local requires all nodes to be in WORKGROUP (not domain-joined) before the portal deployment wizard runs. The wizard performs the domain join as part of deployment. If any node is already domain-joined, remove it from the domain before proceeding.

Azure Prerequisites

RequirementDescriptionValidation
SubscriptionActive subscription with Contributor + User Access AdministratorGet-AzSubscription
Resource groupDedicated RG for the clusterCreated in Azure Portal
Arc registrationAll nodes Arc-registered (Phase 04)Azure Portal > Arc > Servers

Variables from variables.yml

PathTypeDescription
compute.arm_deployment.cluster_namestringCluster name
azure_platform.regionstringAzure region
identity.ad.domain_fqdnstringAD domain FQDN
identity.ad.organizational_unitstringAD OU distinguished name
identity.accounts.account_lcm_usernamestringLCM service account
compute.arm_deployment.network_intents[*].intent_adaptersarrayNetwork adapter names
compute.arm_deployment.ip_allocation.starting_ipstringIP pool start
compute.arm_deployment.ip_allocation.ending_ipstringIP pool end
compute.arm_deployment.subnet_maskstringSubnet mask
compute.arm_deployment.default_gatewaystringDefault gateway
compute.arm_deployment.dns_serversarrayDNS servers
storage_accounts.storage_accounts.cluster_witness.*objectWitness storage account

Portal Deployment

Task 1: Navigate to Azure Local

  1. Open Azure Portal
  2. Search for "Azure Local"
  3. Select Azure Local from results
  4. Click + Create

Task 2: Basics Configuration

FieldValueSource
SubscriptionSelect subscriptionMust have Contributor + UAA
Resource groupSelect or createDedicated RG for cluster
Cluster name<CLUSTER_NAME>compute.arm_deployment.cluster_name
Region<AZURE_REGION>azure_platform.azure_tenants[*].aztenant_location

Add Arc-registered machines:

  1. Click Add machines
  2. Select all Arc-registered nodes from Phase 04
  3. Click Add
  4. Allow time for Arc extension installation to complete before proceeding

Authentication selection:

Under the Identity section of the Basics tab, select Active Directory as the authentication type. Domain credentials are entered in Task 4 below.

Task 3: Configuration

  • Select New configuration (manual configuration)
  • Do NOT use an existing template unless one has been explicitly reviewed and approved for this environment

Task 4: Basics — Domain Credentials

The domain credential fields appear in the Basics tab after selecting Active Directory authentication. There is no separate Identity tab.

FieldValueSource
Authentication typeActive Directory
Domain FQDNcorp.azurelocal.cloudidentity.ad.domain_fqdn
Computer OUOU=AzureLocal,OU=Servers,DC=corp,DC=azurelocal,DC=cloudidentity.ad.organizational_unit
Deployment usersvc-azl-deploy@corp.azurelocal.cloudidentity.accounts.account_lcm_username
Deployment password[Enter service account password]identity.accounts.account_lcm_password (keyvault ref)
LCM account password requirements

The deployment account password must be at least 14 characters. This is a Microsoft hard requirement for the LCM service account. A password shorter than 14 characters will fail portal validation with no clear error message.

Source: MS Learn — AD Deployment Prerequisites

Computer OU distinguished name

The OU path entered here must exactly match the OU used by New-HciAdObjectsPreCreation in Phase 02. The pre-created computer account objects for each node must reside in this OU at the time the wizard runs. Verify with Get-ADComputer -SearchBase "<OU>" before proceeding.

Task 5: Networking Configuration

Storage connectivity:

OptionWhen to use
Network switch for storage traffic3+ node clusters (recommended)
No switch for storage1–2 node clusters only (switchless)

Network intents:

Network intents are defined by your planning design

The number of intents, traffic type assignments, and adapter bindings configured here must match the design from your planning and discovery sessions, as captured in variables.yml under compute.arm_deployment.network_intents. Do not assume a specific number of intents or a fixed layout.

Typical layouts:

LayoutIntentTraffic types
2-intentManagement + ComputeManagement, Compute
2-intentStorageStorage
3-intentManagementManagement
3-intentComputeCompute
3-intentStorageStorage

For adapter assignments for each intent, refer to compute.arm_deployment.network_intents[*].intent_adapters in your variables.yml.

IP allocation:

SettingValueSource
Starting IPFirst available management IPcompute.arm_deployment.ip_allocation.starting_ip
Ending IPLast available management IPcompute.arm_deployment.ip_allocation.ending_ip
Subnet maske.g., 255.255.255.0compute.arm_deployment.subnet_mask
Default gatewayGateway IPcompute.arm_deployment.default_gateway
DNS serversPrimary, Secondarycompute.arm_deployment.dns_servers
IP pool requirement

A minimum of 6 consecutive IPs are required for cluster infrastructure (cluster IP, Arc Resource Bridge IP, etc.). Individual node management IPs are separate — do not include them in this pool.

DNS must resolve the AD domain FQDN

For AD deployments, the DNS servers entered here must be able to resolve identity.ad.domain_fqdn. Nodes query these DNS servers during the domain join step of deployment. If DNS cannot resolve the domain, deployment will fail at domain join.

Task 6: Management Configuration

SettingValueSource
Custom location name<CLUSTER_NAME>-locationFor Arc VM management
Cloud witness storageCreate or select storage accountFor cluster quorum
No Key Vault selection for AD deployments

Active Directory deployments do not include a Key Vault selector in the Management tab. AD manages LCM credentials through domain accounts, so there is no Azure Key Vault dependency in the portal wizard. The Key Vault selection seen in Local Identity deployments does not appear here.

Task 7: Security Configuration

SettingRecommendationNotes
BitLocker for data volumesEnabledEncrypt all data volumes
BitLocker for OS bootEnabledEncrypt OS volumes
Credential GuardEnabledProtect domain credentials on nodes
WDACEnabledApplication control policy
Drift controlEnabledMonitor security baseline
Side channel mitigationEnabledProtect against side-channel attacks
SMB signingRequiredSecure SMB traffic
SMB cluster encryptionEnabledEncrypt intra-cluster traffic

Select Recommended security settings to apply all settings at once.

Task 8: Advanced Configuration

Volume creation strategy:

  • Create workload volumes and required infrastructure volumes (Recommended)

Tags:

TagValue
EnvironmentProduction / Development
DeploymentTypeActiveDirectory
DeploymentDateYYYY-MM-DD

Task 9: Validation

  1. Click Start validation
  2. Wait approximately 15–20 minutes for all checks to complete
  3. Do NOT click "Try again" while validation is running — wait for it to complete or fail before taking any action
Run the validation monitor

While validation runs, start Monitor-Validation.ps1 to see live step status and EnvironmentValidatorFull log output. It auto-exits when validation completes.

Validation checks:

CheckDescriptionAction if failed
ConnectivityAll nodes reachableVerify network connectivity
Arc registrationNodes registered with ArcVerify Phase 04 completion
Domain accessibilityDC reachable from nodesTest-NetConnection <DC_IP> -Port 389
StorageDisks available and healthyCheck physical disk health
NetworkNICs available and configuredVerify NIC drivers and connectivity
Azure endpointsRequired endpoints accessibleCheck firewall and proxy rules

Resolve all errors before proceeding to Task 10. Warnings may be acknowledged but should be documented.

Task 10: Review + Create

  1. Review all configuration settings on the summary page
  2. Confirm:
  • All Arc-registered nodes are listed
  • Authentication type shows Active Directory
  • Domain FQDN and OU path are correct
  • Management IP pool has 6+ IPs
  • Storage adapters are configured
  1. Click Create

Deployment Progress

Estimated duration:

Cluster sizeEstimated time
Single machine1.5–2 hours
Two-node cluster~2.5 hours
Three+ node cluster~3 hours

Deployment stages:

  1. Begin cloud deployment (45–60 min)
  2. Install Arc extensions
  3. Join nodes to domain
  4. Configure network intents
  5. Create storage pools and volumes
  6. Deploy Arc Resource Bridge
  7. Provision custom location
Run the deployment monitor

After clicking Create, start Monitor-Deployment.ps1 to track hierarchical step progress and stream OrchestratorFull logs in real time. Press Ctrl+C to exit at any time.

Monitor progress in Azure Portal > Resource Groups > Your RG > Deployments.

Post-Deployment Validation

Verify Azure resources

Resource typeCountDescription
Machine — Azure Arc1 per nodeArc-connected machines
Azure Local instance1Cluster resource
Arc Resource Bridge1VM management bridge
Custom location1For Arc VM placement

Verify cluster health

Run on any cluster node or from a management host with network access
# Verify nodes are domain-joined after deployment
Invoke-Command -ComputerName @("iic-01-n01","iic-01-n02","iic-01-n03") -ScriptBlock {
 $cs = Get-WmiObject Win32_ComputerSystem
 [PSCustomObject]@{
 Node = $env:COMPUTERNAME
 Domain = $cs.Domain
 DomainJoined = $cs.PartOfDomain
 }
} | Format-Table -AutoSize

# Verify cluster status
Get-Cluster | Format-List Name, QuorumType, QuorumResourceName

# Verify all nodes online
Get-ClusterNode | Format-Table Name, State, NodeWeight

# Verify Storage Spaces Direct health
Get-StoragePool | Format-Table FriendlyName, HealthStatus, OperationalStatus

# Verify volumes
Get-Volume |
 Where-Object FileSystemLabel -match 'ClusterPerf|UserStorage' |
 Format-Table FileSystemLabel, HealthStatus, OperationalStatus, Size
RDP is disabled after deployment

RDP is disabled by default on all cluster nodes after deployment completes. To re-enable on a specific node, run this on the node (or via PSRemoting):

Enable-ASRemoteDesktop

This applies to all Azure Local deployments regardless of identity type.

Source: MS Learn — Deploy via Portal

Troubleshooting

IssueCauseResolution
Domain join failsDC unreachable or wrong credentialsTest-NetConnection <DC_IP> -Port 389 + verify LCM account password
LCM password rejected by portalPassword < 14 charactersReset service account password to ≥14 chars, retry wizard
Computer account conflictStale pre-existing account in OUDelete stale computer object from OU, re-run validation
Node not domain-joined after deploymentDNS issue during joinCheck DNS server setting in Task 5 resolves the AD domain
Validation timeoutAzure endpoint connectivityCheck firewall rules for required Azure endpoints
Arc extension install failsArc agent issue on nodeReinstall Azure Connected Machine agent on affected node
Storage configuration failsUnhealthy physical diskGet-PhysicalDisk on the affected node

Collect deployment logs:

Run on a cluster node — retrieves most recent log files
Get-ChildItem "C:\CloudDeployment\Logs" -Recurse |
 Sort-Object LastWriteTime -Descending |
 Select-Object -First 10 Name, LastWriteTime, Length |
 Format-Table -AutoSize

Next Steps

Deployment statusNext action
SuccessfulProceed to Phase 16: Post-Deployment
FailedReview troubleshooting section and deployment logs; re-run validation

References:

Version Control

  • Created: 2026-01-30 by Azure Local Cloudnology Team
  • Last Updated: 2026-03-09 by Azure Local Cloudnology Team
  • Version: 1.1.0
  • Tags: azure-local, active-directory, portal, runbook
  • Keywords: active directory, domain deployment, portal deployment, azure local cluster, LCM user
  • Author: Azure Local Cloudnology Team