Toggle to disable deallocation of domain controller VMs in Azure Portal
I'm mainly concerned about my domain controllers VMs. I would like to put the equivalent of a lock on these VMs to prevent them from being deallocated because if they are ever stopped through the Azure portal there are serious consequences such as those listed in this article: https://www.petri.com/best-practices-domain-controller-vms-azure
The AD DS database is reset
The RID pool is discarded
SYSVOL is marked as non-authoritative
We had an incident recently where both of my domain controller VMs had been deallocated for a short time after the domain had been created. This caused them to stop replicating the SYSVOL between each other and resulted in weird behavior in the domain that took us hours to identify and resolve. The root cause was that the VMs had been deallocated and we weren't aware of the impact deallocating a domain controller could have.
If being able to toggle whether or not a VM can be deallocated in the Azure portal isn't a feature yet, I hope that it will be considered in the future.
Tarjei T. Jensen commented
I think you need more than one domain controller. And in more than one location.
I would consider the Azure cloud to be an excellent place for backup DCs if I have servers on the premises. If I only had Azure cloud servers, I would have to have backup DCs on the premises to ensure that the service is available at all times.