View
225
Download
3
Category
Preview:
Citation preview
(C) 2012 Dean Suzuki, All Rights Reserved 1
Dean Suzuki Blog
Title: Deploying AD into Windows Azure with No Corporate Connectivity
Created: 6/2/2014
Description:
In this blog post, I record the process that I went through to build an Active Directory (AD) environment
in Microsoft Azure. There are multiple scenarios for deploying AD in Azure. In this scenario, I will
document the scenario with no connectivity back to the corporate network. It is basically a stand-alone
AD forest in Azure. In the future blog post, we will work through the other scenarios. Please refer to
the article (http://msdn.microsoft.com/en-us/library/azure/jj156090.aspx) for a description of the other
scenarios.
DC1Int: 10.0.0.10
Microsoft Azure
References:
http://msdn.microsoft.com/en-us/library/azure/jj156090.aspx ; Guidelines for Deploying
Windows Server Active Directory on Azure Virtual Machines
http://msdn.microsoft.com/en-us/library/dn631643.aspx ; Configure a Cloud-Only Virtual
Network in the Management Portal
http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-
machine/ ; Install a new Active Directory forest on an Azure virtual network
Disclaimer:
Contents of this blog and article represent the opinions of Dean Suzuki, and do not reflect the
views of my employer. (C) 2012 Dean Suzuki, All Rights Reserved
(C) 2012 Dean Suzuki, All Rights Reserved 2
Table of Contents 1 Create the Azure Virtual Network......................................................................................................... 3
1.1 Creating a Cloud-Only Network .................................................................................................... 3
2 Install Active Directory in Azure ............................................................................................................ 4
2.1 Create the VM to Host the Domain Controller ............................................................................. 5
2.2 Set Static IP Address for VM ......................................................................................................... 7
2.2.1 Download and Install Powershell for Azure .......................................................................... 7
2.2.2 Connect to your Azure subscription. .................................................................................... 8
2.2.3 Verify that Static IP Address is Available ............................................................................... 9
2.2.4 Update VM with Static IP Address ........................................................................................ 9
2.3 Add a Data Disk to VM for AD Database ..................................................................................... 10
2.4 Install Active Directory ................................................................................................................ 12
2.4.1 Install Active Directory Domain Services Role (AD DS) ....................................................... 12
2.4.2 Promote the machine to a domain controller .................................................................... 16
2.5 DNS Configuration ....................................................................................................................... 20
2.6 Configure the DNS Server on the Azure Virtual Network ........................................................... 21
(C) 2012 Dean Suzuki, All Rights Reserved 3
1 Create the Azure Virtual Network You have a couple options when creating an Azure Virtual Network. They are:
Create a Cloud-Only Network that will only exist in Azure
Create a network that will be connected through VPN with your on-premise corporate network.
1.1 Creating a Cloud-Only Network This section describes how to create a cloud-only network (not connected to corporate note).
NOTE: Its important to create the Azure Virtual Network before creating the virtual machine, because
you can’t go back and put a VM in a virtual network after you’ve created the VM.
See http://msdn.microsoft.com/en-us/library/dn631643.aspx
1. Log in to the Windows Azure Management Portal (manage.windowsazure.com)
2. In the lower left-hand corner of the screen, click New. In the navigation pane, click Networks, and
then click Virtual Network. Click Custom Create to begin the configuration wizard.
3. On the Virtual Network Details page, enter a name for the network:
(C) 2012 Dean Suzuki, All Rights Reserved 4
4. On the DNS Servers and VPN Connectivity page, don’t make any changes. Just move forward to the
next page by clicking the arrow. Later, we will update with our AD DNS server.
5. The Virtual Network Address Spaces page is where you enter the address space that you want to
use for this VNet.
The wizard creates the network using a default IP address range that your VM’s will live on. If you need
to have a different range, you will need to create it manually.
6. Click the Check button to finish.
2 Install Active Directory in Azure
The next step is to create the Active Directory domain controller in Azure. For more reference, review:
http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-machine/
(C) 2012 Dean Suzuki, All Rights Reserved 5
2.1 Create the VM to Host the Domain Controller
1. Click New > Compute > Virtual Machine > From Gallery.
2. Select Windows Server 2012 R2
3. Fill in the fields
Give the VM a name (E.g. dc1).
Select the VM Size. Note that the size will affect the costs in Azure.
Select a user name that will be added to the administrators group in the VM and password.
(C) 2012 Dean Suzuki, All Rights Reserved 6
4. Fill in the fields.
Select “Create a new cloud service.”
For Cloud Service DNS name, I tried to keep the default, but got an error stating that a cloud app already
exists with that name so I had to change it and give it a new name.
For Region/Affinity Group/Virtual Network, select the Azure Virtual Network created early.
For Virtual network Subnets, select the subnet that I want to use.
Keep defaults on other options.
Notice the Endpoints that will be enabled for this VM: A remote desktop and a powershell access to the
VM.
(C) 2012 Dean Suzuki, All Rights Reserved 7
5. Install the VM Agent
2.2 Set Static IP Address for VM By default Azure VM’s are assigned dynamic ip addresses (DIP). The Dynamic IP addresses persist for
the life of the VM. However, the dynamic address is deallocated if the VM is shutdown. To prevent the
IP address from being deallocated, you can use Set-AzureStaticVNetIP to assign a static IP address.
2.2.1 Download and Install Powershell for Azure Read the following article for more background: http://azure.microsoft.com/en-
us/documentation/articles/install-configure-powershell/
Download and install the Azure Powershell module from:
http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409
(C) 2012 Dean Suzuki, All Rights Reserved 8
2.2.2 Connect to your Azure subscription. Review (http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/) and
notice that there are two methods to connect to your Azure subscription. I am going with the
management certificate approach. From the article:
1. Sign in to the Azure Management Portal using the credentials for your Azure account.
2. Open the Azure PowerShell console, as instructed in How to: Install Azure PowerShell.
3. Type the following command:
Get-AzurePublishSettingsFile
1. When prompted, download and save the publishing profile and note the path and name of the
.publishsettings file. This information is required when you run the Import-AzurePublishSettingsFile cmdlet
to import the settings. The default location and file name format is:
C:\Users<UserProfile>\Download\[MySubscription-...]-downloadDate-credentials.publishsettings
(C:\deandata\ds_mtc\1-Private-Cloud-lab\Azure-Management-Certificate)
1. Type a command similar to the following, substituting your Windows account name and the path and file
name for the placeholders:
Import-AzurePublishSettingsFile C:\Users<UserProfile>\Downloads<SubscriptionName>-
credentials.publishsettings
(C) 2012 Dean Suzuki, All Rights Reserved 9
2.2.3 Verify that Static IP Address is Available
Run command similar to: Test-AzureStaticVNetIP –VNetName TestVNet –
IPAddress 192.168.4.7
2.2.4 Update VM with Static IP Address
First, get information on the VM and confirm that this is the VM that we want to change the IP Address
of.
Get-azureVM –servicename deandc1 –name dc1
If we are sure that we want to change the IP address of this VM, run the following to update that VM
Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -
IPAddress 192.168.4.7 | Update-AzureVM
After the VM restarts, I checked for the new IP address.
(C) 2012 Dean Suzuki, All Rights Reserved 10
Note: You can connect to the VM via RDP by selecting the VM in the portal and at the bottom, there is a
Connect button.
2.3 Add a Data Disk to VM for AD Database
By default, the Azure VM OS disk has write caching enabled. AD Best Practices recommends disabling
write caching to ensure that AD database changes are committed to the disk before proceeding.
In Azure, another disk option, the data disk, is available. Data disk drives do not cache writes by default.
Data disk drives that are attached to a VM use write-through caching. Write-through caching makes sure
the write is committed to durable Azure storage before the transaction is complete from the perspective
of the VM’s operating system. It provides durability, at the expense of slightly slower writes.
Please note that at this time, Azure Data disks are constrained to 1 TB in size.
1. Select the VM in the Azure Management Portal
2. Press the Attach button and select “Attach empty disk” on the pop-up menu
3. Specify a size (e.g. 2GB) and make sure that the Host Cache Preference is set to None.
(C) 2012 Dean Suzuki, All Rights Reserved 11
4. Initialize the disk
From (http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-machine/)
1. Log on to the VM and format the additional disk.
1. Click Connect to log on to the VM, click Open to create an RDP session, and click Connect again.
2. Change the credentials to the new user name and password you specified.
3. In Server Manager, click Tools > Computer Management.
4. Click Disk Management and click Ok to initialize the new disk.
5. Right-click the disk name and click New Simple Volume. Complete wizard to format the new drive.
(C) 2012 Dean Suzuki, All Rights Reserved 12
2.4 Install Active Directory
I used (http://technet.microsoft.com/library/jj574166.aspx) as a reference.
2.4.1 Install Active Directory Domain Services Role (AD DS) 1. Launch Server Manager
2. Select “Add roles and features”
3. Press Next
4. Press Next
(C) 2012 Dean Suzuki, All Rights Reserved 13
5. Press Next.
6. Select “Active Directory Domain Services”
(C) 2012 Dean Suzuki, All Rights Reserved 15
10. Press Next.
11. I checked to allow automatic restarts. Press Install.
(C) 2012 Dean Suzuki, All Rights Reserved 16
2.4.2 Promote the machine to a domain controller
1. Click the link “Promote this service to a domain controller”
(C) 2012 Dean Suzuki, All Rights Reserved 17
2. Select “Add a new forest”
3. Choose forest and domain functional level. Notice that the wizard installs the DNS and GC.
Specify a DSRM password.
(C) 2012 Dean Suzuki, All Rights Reserved 19
6. Change folder locations to the new data disk created earlier.
7. Press Next
(C) 2012 Dean Suzuki, All Rights Reserved 20
The following is the Powershell script that the Wizard created.
# # Windows PowerShell script for AD DS Deployment # Import-Module ADDSDeployment Install-ADDSForest ` -CreateDnsDelegation:$false ` -DatabasePath "e:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "deancloud1.com" ` -DomainNetbiosName "DEANCLOUD1" ` -ForestMode "Win2012R2" ` -InstallDns:$true ` -LogPath "e:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "e:\Windows\SYSVOL" ` -Force:$true
8. After Pre-requistes check, press Install
2.5 DNS Configuration I noticed that DNS was installed. It’s interesting to note that the network properties were changed so
that the server points to itself for DNS
(C) 2012 Dean Suzuki, All Rights Reserved 21
In the DNS configuration, the install process created a forwarder to the Azure DNS.
2.6 Configure the DNS Server on the Azure Virtual Network
In the Azure Management Portal, select the Azure Virtual Network created earlier and select
“Configure”
Recommended