I have found that Azure is a great place to run your secondary domain controller.  If you have multiple branches, one could connect them together with MPLS through the help of your ISP.  Or if you have only one office you could run an IP Sec tunnel right from your on premises firewall to Azure.  But, if you do have a WAN environment, it would be best to get your ISP involved and connect the VPN from their edge routers to Azure.  The point is your virtual machines in Azure don’t have to be inaccessible from your on-premises site. Setting up an IP Sec tunnel will connect your on premises active directory to Azure.So, if you don’t have an Azure validated VPN device and your ISP does not support ExpressRoute don’t worry, you can still use a traditional site to site VPN tunnel between an Azure virtual network and your existing on-premises active directory.  I also would recommend to build any new Azure infrastructure with Resource Manager and not classic.  Some prerequisites are as follows: You need to have an Azure subscription, you need to have a device in your on-premises network that can negotiate one end of the S2S VPN tunnel, and You need to have an available private IP address space that does not overlap with any existing address spaces in your on-premises network.   I recommend that you create the site to site vpn tunnel before creating a virtual machine.  After the tunnel has been created, proceed with creating the VM.  You should be able to change the dns to your on premises domain controller and ping your local active directory from the Azure VM.  Once communication has been established between Azure and on premises systems join the vm to your domain.  Then proceed with promoting to a secondary domain controller following Microsoft’s “Best Practices”.