Step-By-Step: Installing a Replica Active Directory Domain Controller in Windows Azure

05/08/2013

8 minutes to read

In this article

Chatter around cloud computing has increased as of late as more organizations are investigating how to harness the power of the cloud. Having an always on, always operational infrastructure based in the cloud provides piece of mind for most. With Microsoft's recent announcement around Price Reductions for Virtual Machines and Cloud Services, Microsoft Cloud Services have been on top of mind of many IT professionals. One concern, highlighted by some IT Professionals, has been the lack of training material around Windows Azure. This is where Pierre, Mitch and I are here to help.

This Step-By-Step was produced by the Windows Azure team and is a great example of harnessing the power of the cloud to benefit one's organization.

Prerequisites

Sign-up for a FREE 90-day trial of Windows Azure so that the steps provided can be completed.



NOTE: When signing up for the process, credit card information will be requested to confirm that you are a legitimate free trial subscriber. Credit card information is only used to confirm identity and will NOT be charged for any Windows Azure services unless the trial subscription is explicitly convert into a paid subscription at a later date.



Should you currently have a paid subscription or MSDN subscription for Windows Azure, please ensure that you have activated the Windows Azure Virtual Machines and Virtual Networks Preview Feature. When signing up for a new free trial account, this feature will automatically be activated. Create a Virtual Network for Cross-Premises Connectivity configured between Windows Azure Virtual network and Corp network. Create a cloud service in the virtual network. Deploy two VMs in the Cloud Service that are part of the virtual network (specify the subnet where you want to place the VM). For more information, see Add a Virtual Machine to a Virtual Network. One VM must be size L or greater in order to attach two data disks to it. The data disks are needed to store: The Active Directory database and logs.

System state backups. A Corp network with two VMs (YourPrimaryDC and FileServer). Domain Name System (DNS) infrastructure deployed if you need to have external users resolve names for accounts in Active Directory. In this case, you should create a DNS zone delegation before you install DNS server on the domain controller, or allow the Active Directory Domain Services Installation Wizard create the delegation. For more information about creating a DNS zone delegation, see Create a Zone Delegation. On the DC that you install on a Windows Azure VM, configure DNS client resolver settings as follows: Preferred DNS server: on-premises DNS server

Alternate DNS server: loopback address or, if possible, another DNS server running on a DC on the same virtual network.

Note

You need to provide your own DNS infrastructure to support AD DS on Windows Azure Virtual Network. The Windows Azure-provided DNS infrastructure for this release does not support some features that AD DS requires, such as dynamic SRV resource record registration.

If you already completed the steps in Install a new Active Directory forest in Windows Azure, you might need to remove AD DS from the domain controller on the Windows Azure virtual network before you begin this tutorial. For more information about how to remove AD DS, see Removing a Domain Controller from a Domain.

Step 1: Verify static IP address for YourPrimaryDC

Log on to YourPrimaryDC on the Corp network. In Server Manager, click View Network Connections. Right-click the local area network connection and click Properties. Click Internet Protocol Version 4 (TCP/IPv4) and click Properties. Verify that the server is assigned a static IP address.

Step 2: Install Corp forest

In the RDP session for the VM, click Start, type dcpromo, and press ENTER. On the Welcome page, click Next. On the Operating System Compatibility page, click Next. On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and click Next. On the Name the Forest Root Domain page, type corp.contoso.com the fully qualified domain name (FQDN) of the forest root domain and click Next. On the Set Forest Functional level page, click Windows Server 2008 R2 and then click Next. On the Additional Domain Controller Options page, click DNS server and click Next. If the following DNS delegation warning appears, click Yes. On the Location for Active Directory database, log files and SYSVOL page, type or select the location for the files and click Next. On the Directory Services Restore Administrator page, type and confirm the DSRM password and click Next. On the Summary page, confirm your selections and click Next. After the Active Directory Installation Wizard finishes, click Finish and then click Restart Now to complete the installation.

Step 3: Create subnets and sites

On YourPrimaryDC, click Start, click Administrative Tools and then click Active Directory Sites and Services. Click Sites, right-click Subnets, and then click New Subnet. In Prefix:: , type 10.1.0.0/24, select the Default-First-Site-Name site object and click OK. Right-click Sites and click New Site. In Name, type CloudSite, select DEFAULTIPSITELINK and click OK. Click OK to confirm the site was created. Right-click Subnets, and then click New Subnet. In Prefix:: , type 10.4.2.0/24, select the CloudSite site object and click OK.

Step 4: Install an additional domain controller in the CloudSite

Log on to YourVMachine, click Start, type dcpromo, and press ENTER. On the Welcome page, click Next. On the Operating System Compatibility page, click Next. On Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and click Next. On the Network Credentials page, make sure you are installing the domain controller in corp.contoso.com domain and type credentials of a member of the Domain Admins group (or use corp\administrator credentials). On the Select a Domain page, click Next. On the Select a Site page, make sure that CloudSite is selected and click Next. On the Additional Domain Controller Options page, click Next. On the Static IP assignment warning, click Yes, the computer will use an IP address automatically assigned by a DHCP server (not recommended) Important Although the IP address on the Windows Azure Virtual Network is dynamic, its lease lasts for the duration of the VM. Therefore, you do not need to set a static IP address on the domain controller that you install on the virtual network. Setting a static IP address in the VM will cause communication failures. When prompted about the DNS delegation warning, click Yes. On the Location for Active Directory database, log files and SYSVOL page, click Browse and type or select a location on the data disk for the Active Directory files and click Next. On the Directory Services Restore Administrator page, type and confirm the DSRM password and click Next. On the Summary page, click Next. After the Active Directory Installation Wizard finishes, click Finish and then click Restart Now to complete the installation.

Step 5: Validate the installation

Reconnect to the VM. Click Start, right-click Command Prompt and click Run as Administrator. Type the following command and press ENTER: 'Dcdiag /c /v' Verify that the tests ran successfully.

After the DC is configured, run the following Windows PowerShell cmdlet to provision additional virtual machines and have them automatically join the domain when they are provisioned. The DNS client resolver settings for the VMs must be configured when the VMs are provisioned. Substitute the correct names for your domain, VM name, and so on.

For more information about using Windows PowerShell, see Getting Started with Windows Azure PowerShell and Windows Azure Management Cmdlets.

Step 6: Provisioning a Virtual Machine that is Domain Joined on Boot

To create an additional virtual machine that is domain-joined when it first boots, open Windows Azure PowerShell ISE, paste the following script, replace the placeholders with your own values and run it. To determine the Internal IP address of the domain controller, click the name of virtual network where it is running. In the following example, the Internal IP address of the domain controller is 10.4.3.1.The Add-AzureProvisioningConfig also takes a -MachineObjectOU parameter which if specified (requires the full distinguished name in Active Directory) allows for setting Group Policy settings on all of the virtual machines in that container. After the virtual machines are provisioned, log on by specifying a domain account using User Principal Name (UPN) format, such as administrator@corp.contoso.com. #Deploy a new VM and join it to the domain#-------------------------------------------#Specify my DC's DNS IP (10.4.3.1) $myDNS =New-AzureDNS-Name'ContosoDC13'-IPAddress'10.4.3.1'# OS Image to Use $image ='MSFT__Sql-Server-11EVAL-11.0.2215.0-08022012-en-us-30GB.vhd' $service ='myazuresvcindomainM1' $AG ='YourAffinityGroup' $vnet ='YourVirtualNetwork' $pwd ='p@$$w0rd' $size ='Small'#VM Configuration $vmname ='MyTestVM1' $MyVM1 =New-AzureVMConfig-name $vmname -InstanceSize $size -ImageName $image |Add-AzureProvisioningConfig-WindowsDomain-Password $pwd -Domain'corp'-DomainPassword'p@$$w0rd'-DomainUserName'Administrator'-JoinDomain'corp.contoso.com'|Set-AzureSubnet-SubnetNames'BackEnd'New-AzureVM-ServiceName $service -AffinityGroup $AG -VMs $MyVM1 -DnsSettings $myDNS -VNetName $vnet

Step 7: Backup the domain controller

Connect to YourVMachine. Click Start, Click Server Manager, click Add Features, and then select Windows Server Backup Features. Follow the instructions to install Windows Server Backup. Click Start, Click Windows Server Backup, click Backup once. Click Different options and click Next. Click Full Server and click Next. Click Local drives and click Next. Select the destination drive that does not host the operating system files or the Active Directory database, and click Next. Confirm the backup settings you selected and then click Backup.

Step 8: Test authentication and authorization

In order to test authentication and authorization, create a domain user account in Active Directory. Log on to the client VM in each site and create a shared folder on the VM Test access to the shared folder using different accounts and groups and permissions.

Learn more support features Windows Azure has to offer and have a chance in winning your own lab computer by participating in the free Microsoft offered Virtual Academy. Complete two TechNet evaluations, and take the selected Microsoft Virtual Academy courses for your chance at a $5,000 grand prize or a chance to win a HP EliteBook Revolve and two chances to win 400 Microsoft Points.