Dela via


Step-by-Step: Building a Windows Server 2012 Active Directory Forest in the Cloud with Windows Azure

Often times, applications that we’re deploying to the cloud may expect Windows Server Active Directory to be present for authentication and identity management.  With Windows Azure Virtual Machines and Virtual Networks, we can deploy Windows Server Active Directory on the Windows Azure cloud platform to support these security needs.  Best of all, you can test and pilot this scenario for FREE by using our Windows Azure 90-Day Free Trial program.

Ready? Active Directory … To the Cloud!

There’s actually two options for supporting Active Directory authentication and identity management in the Windows Azure cloud: Windows Azure Active Directory and Windows Server Active Directory on Windows Azure VMs.  In this article, we’ll be focusing on implementing the second option, but for an overview of both options with practical usage scenarios, check out the following article:

In this article, we’ll be working through the steps involved with provisioning a new Windows Server 2012 Active Directory Forest in the Cloud with Windows Azure Virtual Machines and Virtual Networks.

Windows Server Active Directory Lab Scenario

In this step-by-step guide, I’ll be working through the approach of building a new Windows Server Active Directory Forest using a single Windows Azure Virtual Machine and Virtual Network as depicted in the following diagram:

image
Lab Scenario: Active Directory Forest on Windows Azure

This lab scenario will serve also serve as the basis for future Step-by-Step guides, where we will be adding Replica Active Directory Domain Controllers and Member Servers to this same Virtual Network in the Windows Azure cloud.

Prerequisites

The following is required to complete this step-by-step guide:

  • A Windows Azure subscription with the Virtual Machines Preview enabled.
     
    DO IT: Sign up for a FREE Trial of Windows Azure
     
    NOTE: When activating your FREE Trial for Windows Azure, you will be prompted for credit card information.  This information is used only to validate your identity and your credit card will not be charged, unless you explicitly convert your FREE Trial account to a paid subscription at a later point in time. 
     
  • Completion of the Getting Started tasks in the following article:
     
    DO IT: Getting Started with Servers in the Cloud
     
  • This step-by-step guide also assumes that the reader is already somewhat familiar with configuring Windows Server 2012 Active Directory in an on-premise deployment.  For a primer on What’s New in Windows Server 2012 Active Directory, join our Windows Server 2012 “Early Experts” study group and review the following study guide:
     
    DO IT: Complete the “Early Experts” Installer Quest – Installing Active Directory
     
    Join Us! We already have thousands of IT Pros working together to study the new Cloud OS capabilities of Windows Server 2012.  Along the way, you may want to check out the other “Early Experts” Knowledge Quests, too. 
     

Complete each Knowledge Quest at your own pace based on your schedule.  You’ll receive your very own “Early Experts” Certificate of Completion, suitable for printing, framing or sharing online with your social network!

WS2012EE-Apprentice-Sample
Windows Server 2012 “Early Experts” Certificate of Completion

Let’s Get Started!

In this Step-by-Step guide, you will learn how to:

  • Register a DNS Server in Windows Azure
  • Define a Virtual Network in Windows Azure
  • Deploy a new Windows Server 2012 VM in Windows Azure
  • Configure a Windows Server Active Directory Forest in a Windows Azure VM
  • Export / Import Lab Virtual Machines

Estimated Time to Complete: 60 minutes

Exercise 1: Register a DNS Server in Windows Azure

Register the internal IP address that our domain controller VM will be using for Active Directory-integrated Dynamic DNS services by performing the following steps:

  1. Sign in at the Windows Azure Management Portal with the logon credentials used when you signed up for your Free 90-Day Windows Azure Trial.
     
  2. Select Networks located on the side navigation panel on the Windows Azure Management Portal page.
     
  3. Click the +NEW button located on the bottom navigation bar and select Networks | Virtual Network | Register DNS Server.
     
  4. Complete the DNS Server fields as follows:
     
    - NAME: XXXlabdns01
     
    - DNS Server IP Address: 10.0.0.4
     
  5. Click the REGISTER DNS SERVER button.

Exercise 2: Define a Virtual Network in Windows Azure

Define a common virtual network in Windows Azure for running Active Directory, Database and SharePoint virtual machines by performing the following steps:

  1. Sign in at the Windows Azure Management Portal with the logon credentials used when you signed up for your Free 90-Day Windows Azure Trial.
     
  2. Select Networks located on the side navigation panel on the Windows Azure Management Portal page.
     
  3. Click the +NEW button located on the bottom navigation bar and select Networks | Virtual Network | Quick Create.
     
  4. Complete the Virtual Network fields as follows:
     
    - NAME: XXXlabnet01
     
    - Address Space: 10.---.---.---
     
    - Maximum VM Count: 4096 [CIDR: /20]
     
    - Affinity Group: Select the Affinity Group defined in the Getting Started steps from the Prerequisites section above.
     
    - Connect to Existing DNS: Select XXXlabdns01 – the DNS Server registered in Exercise 1 above.
     
  5. Click the CREATE A VIRTUAL NETWORK button.

Exercise 3: Deploy a New Windows Server 2012 VM in Windows Azure

In this exercise, you will provision a new Windows Azure VM to run a Windows Server 2012 on the Windows Azure Virtual Network provisioned in Exercise 2.

  1. Sign in at the Windows Azure Management Portal with the logon credentials used when you signed up for your Free 90-Day Windows Azure Trial.
     
  2. Select Virtual Machines located on the side navigation panel on the Windows Azure Management Portal page.
     
  3. Click the +NEW button located on the bottom navigation bar and select Compute | Virtual Machines | From Gallery.
     
  4. In the Virtual Machine Operating System Selection list, select Windows Server 2012, December 2012 and click the Next button.
     
  5. On the Virtual Machine Configuration page, complete the fields as follows:
     
    - Virtual Machine Name: XXXlabad01
     
    - New Password and Confirm Password fields: Choose and confirm a new local Administrator password.
     
    - Size: Small (1 core, 1.75GB Memory)
     
    Click the Next button to continue.
     
    Note: It is suggested to use secure passwords for Administrator users and service accounts, as Windows Azure virtual machines could be accessible from the Internet knowing just their DNS.  You can also read this document on the Microsoft Security website that will help you select a secure password: https://www.microsoft.com/security/online-privacy/passwords-create.aspx.
     
  6. On the Virtual Machine Mode page, complete the fields as follows:
     
    - Standalone Virtual Machine: Selected
     
    - DNS Name: XXXlabad01.cloudapp.net
     
    - Storage Account: Select the Storage Account defined in the Getting Started steps from the Prerequisites section above.
     
    - Region/Affinity Group/Virtual Network: Select XXXlabnet01 – the Virtual Network defined in Exercise 2 above.
     
    - Virtual Network Subnets: Select Subnet-1 (10.0.0.0/23)
     
    Click the Next button to continue.
     
  7. On the Virtual Machine Options page, click the Checkmark button to begin provisioning the new virtual machine.
     
    As the new virtual machine is being provisioned, you will see the Status column on the Virtual Machines page of the Windows Azure Management Portal cycle through several values including Stopped, Stopped (Provisioning), and Running (Provisioning) .  When provisioning for this new Virtual Machine is completed, the Status column will display a value of Running and you may continue with the next exercise in this guide.
     
  8. After the new virtual machine has finished provisioning, click on the name ( XXXlabad01 ) of the new Virtual Machine displayed on the Virtual Machines page of the Windows Azure Management Portal to open the Virtual Machine Details Page for XXXlabad01.

Exercise 4: Configure a Windows Server Active Directory Forest in a Windows Azure VM

In this exercise, you will install and configure a new Windows Server 2012 Active Directory Forest on the VM deployed in Exercise 3.

  1. On the Virtual Machine Details Page for XXXlabad01, make note of the Internal IP Address displayed on this page.  This IP address should be listed as 10.0.0.4
     
    If a different internal IP address is displayed, the virtual network and/or virtual machine configuration was not completed correctly.  In this case, click the DELETE button located on the bottom toolbar of the virtual machine details page for XXXlabad01, and go back to Exercise 2 and Exercise 3 to confirm that all steps were completed correctly.
     
  2. On the virtual machine details page for XXXlabad01, click the Attach button located on the bottom navigation toolbar and select Attach Empty Disk.  Complete the following fields on the Attach an empty disk to the virtual machine form:
     
    - Name: XXXlabad01-data01
     
    - Size: 10 GB
     
    - Host Cache Preference: None
     
    Click the Checkmark button to create and attach the a new virtual hard disk to virtual machine XXXlabad01.
     
  3. On the virtual machine details page for XXXlabad01, click the Connect button located on the bottom navigation toolbar and click the Open button to launch a Remote Desktop Connection to the console of this virtual machine.  Logon at the console of your virtual machine with the local Administrator credentials defined in Exercise 3 above.
     
    Wait for the Server Manager tool to launch before continuing with the next step.
     
  4. In the Server Manager window, format the disk attached in Step 2 above by launching the Computer Management tool from the Tools menu located on the top navigation bar.
     
    1. In the Computer Management window, click on Disk Management in the left navigation pane.
       
    2. When prompted with the Initialize Disk dialog box, click the OK button to continue.
       
    3. Right-click on the unallocated disk space on Disk 2 and select New Simple Volume… from the pop-up menu.
       
    4. In the New Simple Volume Wizard, click the Next button on each page to accept all default values. 
       
    5. Click the Finish button on the last page of the wizard to create a new F: volume.
       
    6. When the new volume has finished the formatting process, close the Computer Management window.
       
  5. In the Server Manager window, install Active Directory Domain Services by launching the Add Roles and Features wizard from the Manage menu located on the top navigation bar.
     
    1. In the Add Roles and Feature Wizard dialog box, click the Next button three times to advance to the list of Roles to install.
       
    2. In the list of roles, check the checkbox for the Active Directory Domain Services role.  When prompted to add additional features, click the Add Features button.
       
    3. Click the Next button until you advance to the Confirm installation selections page of the wizard.  Click the Install button to begin the installation process.
       
    4. When the installation of Active Directory Domain Services has completed, do not click the Close button.  Instead, click the link titled Promote this server to a domain controller.  
       
      This will launch the Active Directory Domain Services Configuration Wizard.
       
    5. In the Active Directory Domain Services Configuration Wizard dialog box, select the deployment operation for Add a new forest.
       
    6. In the Root domain name: field, enter contoso.comas the name of the root domain in the new Active Directory forest.  Click the Next button.
       
    7. On the Domain Controller Options page of the wizard, enter and confirm a recovery password in the Directory Services Restore Mode (DSRM) password fields.  Click the Next button.
       
    8. On the DNS Options page of the wizard, ignore the warning message and click the Next button to continue.
       
    9. On the Additional Options page of the wizard, accept the default value for NetBIOS domain name and click the Next button.
       
    10. On the Paths page of the wizard, change the Database folder, Log files folder and SYSVOL folder paths to begin with F: instead of C:. Click the Next button.
       
    11. On the Review Options page, click the View Script button.  A PowerShell script snippet will be displayed in a Notepad window.  This snippet includes the cmdlets needed to Install a new Active Directory forest via PowerShell with the options selected in the wizard.  Save this snippet to your Documents folder for future reference as a file named PSSnippet-Install-ADDSForest.ps1 and close the Notepad window.
       
    12. On the Review Options page, click the Next button.
       
    13. On the Prerequisites Check page, ignore the warnings displayed and click the Install button.  The warnings displayed are due to the dynamic IP addressing used within Windows Azure Virtual Networks and do not apply to this cloud environment.
       
      The Active Directory Domain Services configuration process will be begin for the new AD Forest.
       
      When the Active Directory configuration process is complete, the server will automatically restart.

Exercise 5: Export / Import Lab Virtual Machines

Our Windows Server 2012 Active Directory Forest VM is now functional in our cloud-based lab, but if you’re like me, you may not be using this lab VM 24x7 around-the-clock.  As long as a virtual machine is provisioned, it will continue to accumulate compute hours against your Free 90-Day Windows Azure Trial account regardless of virtual machine state – even in a shutdown state!

To save our compute hours for productive study time, we can leverage the Windows Azure PowerShell module to automate export and import tasks to de-provision our virtual machine when not in use and re-provision our virtual machine when it is needed again. 

In this exercise, we’ll step through using Windows PowerShell to automate:

  • De-provisioning lab virtual machines when not in use
  • Re-provisioning lab virtual machines when needed again. 

Once you’ve configured the PowerShell snippets below, you’ll be able to spin up your cloud-based lab environment when needed in just a few minutes!

Note: Prior to beginning this exercise, please ensure that you’ve downloaded, installed and configured the Windows Azure PowerShell module as outlined in the Getting Started article listed in the Prerequisite section of this step-by-step guide.  For a step-by-step walkthrough of configuring PowerShell support for Azure, see Setting Up Management by Brian Lewis, one of my peer IT Pro Technical Evangelists.

  1. De-provision the lab. Use the Stop-AzureVM and Export-AzureVM cmdlets in the PowerShell snippet below to shutdown and export lab VMs when they are not being used.  
     

    # Specify the Name of the VM to Export
    $myVM = "XXXlabad01"

    # Stop the VM prior to exporting it
    Stop-AzureVM -ServiceName $myVM -Name $myVM


    # Set the Export folder path for the VM configuration file. Make sure this folder exists!
    $ExportPath = "C:\ExportVMs\ExportAzureVM-$myVM.xml"

    # Export the VM to a file
    Export-AzureVM -ServiceName $myVM -name $myVM -Path $ExportPath

    # After you've confirmed that the Export file exists, delete the VM
    Remove-AzureVM -ServiceName $myVM -name $myVM

     

  2. Re-provision the lab. Use the Import-AzureVM and Start-AzureVM cmdlets in the PowerShell snippet below to import and start lab VMs when needed again.
     

    # Specify the Name of the VM to Import $myVM = “XXXlabad01"

    # Specify the Name of the Virtual Network on which to Import the VM

    $myVNet = "XXXlabnet01"
    # Specify the Import Path of the VM’s exported configuration file.
    $ImportPath = "C:\ExportVMs\ExportAzureVM-$myVM.xml"

    # Import the VM to Windows Azure
    Import-AzureVM -Path $ImportPath | New-AzureVM -ServiceName $myVM -VNetName $myVNet

    # Start the VM
    Start-AzureVM -ServiceName $myVM -name $myVM

Completed! What’s Next?

The installation and configuration of a new Windows Server 2012 Active Directory Forest running on Windows Azure is now complete.  To continue your learning about Windows Server 2012, explore these other great resources:

  • Join the Windows Server 2012 “Early Experts” Challenge study group to learn more about Windows Server 2012! and prepare for MCSA Certification!
     
  • Learn more about Windows Azure Virtual Machines and Virtual Networks with this FREE Online Training!
     
  • Complete the other Hands-On Labs in the "Early Experts" Cloud Quest to request your certificate of completion ... Become our next "Early Expert"!

Reference: https://blogs.technet.com/b/keithmayer/archive/2013/01/17/step-by-step-building-a-windows-server-2012-active-directory-forest-in-the-cloud-with-windows-azure.aspx#.UUHLgcb8LPb