แชร์ผ่าน


Step-by-Step: Building a Windows Server 2012 Active Directory Forest in the Cloud with Windows Azure

Often times, applications that we’re deploying to the cloud may expect Windows Server Active Directory to be present for authentication and identity management.  With Windows Azure Virtual Machines and Virtual Networks, we can deploy Windows Server Active Directory on the Windows Azure cloud platform to support these security needs.  Best of all, you can test and pilot this scenario for FREE by using our Windows Azure 90-Day Free Trial program.

Ready? Active Directory … To the Cloud!

There’s actually two options for supporting Active Directory authentication and identity management in the Windows Azure cloud: Windows Azure Active Directory and Windows Server Active Directory on Windows Azure VMs.  In this article, we’ll be focusing on implementing the second option, but for an overview of both options with practical usage scenarios, check out the following article:

In this article, we’ll be working through the steps involved with provisioning a new Windows Server 2012 Active Directory Forest in the Cloud with Windows Azure Virtual Machines and Virtual Networks.

Windows Server Active Directory Lab Scenario

In this step-by-step guide, I’ll be working through the approach of building a new Windows Server Active Directory Forest using a single Windows Azure Virtual Machine and Virtual Network as depicted in the following diagram:

image
Lab Scenario: Active Directory Forest on Windows Azure

This lab scenario will serve also serve as the basis for future Step-by-Step guides, where we will be adding Replica Active Directory Domain Controllers and Member Servers to this same Virtual Network in the Windows Azure cloud.

Prerequisites

The following is required to complete this step-by-step guide:

  • A Windows Azure subscription with the Virtual Machines Preview enabled.
     
    DO IT: Sign up for a FREE Trial of Windows Azure
     
    NOTE: When activating your FREE Trial for Windows Azure, you will be prompted for credit card information.  This information is used only to validate your identity and your credit card will not be charged, unless you explicitly convert your FREE Trial account to a paid subscription at a later point in time. 
     
  • Completion of the Getting Started tasks in the following article:
     
    DO IT: Getting Started with Servers in the Cloud
     
  • This step-by-step guide also assumes that the reader is already somewhat familiar with configuring Windows Server 2012 Active Directory in an on-premises deployment.  For a primer on What’s New in Windows Server 2012 Active Directory, join our Windows Server 2012 “Early Experts” study group and review the following study guide: 

Let’s Get Started!

In this Step-by-Step guide, you will learn how to:

  • Register a DNS Server in Windows Azure
  • Define a Virtual Network in Windows Azure
  • Deploy a new Windows Server 2012 VM in Windows Azure
  • Configure a Windows Server Active Directory Forest in a Windows Azure VM
  • Export / Import Lab Virtual Machines

Estimated Time to Complete: 60 minutes

Exercise 1: Register a DNS Server in Windows Azure

Register the internal IP address that our domain controller VM will be using for Active Directory-integrated Dynamic DNS services by performing the following steps:

  1. Sign in at the Windows Azure Management Portal with the logon credentials used when you signed up for your Free 90-Day Windows Azure Trial.
     
  2. Select Networks located on the side navigation panel on the Windows Azure Management Portal page.
     
  3. Click the +NEW button located on the bottom navigation bar and select Networks | Virtual Network | Register DNS Server.
     
  4. Complete the DNS Server fields as follows:
     
    - NAME: XXXlabdns01
     
    - DNS Server IP Address: 10.0.0.4
     
  5. Click the REGISTER DNS SERVER button.

Exercise 2: Define a Virtual Network in Windows Azure

Define a common virtual network in Windows Azure for running Active Directory, Database and SharePoint virtual machines by performing the following steps:

  1. Sign in at the Windows Azure Management Portal with the logon credentials used when you signed up for your Free 90-Day Windows Azure Trial.
     
  2. Select Networks located on the side navigation panel on the Windows Azure Management Portal page.
     
  3. Click the +NEW button located on the bottom navigation bar and select Networks | Virtual Network | Quick Create.
     
  4. Complete the Virtual Network fields as follows:
     
    - NAME: XXXlabnet01
     
    - Address Space: 10.---.---.---
     
    - Maximum VM Count: 4096 [CIDR: /20]
     
    - Affinity Group: Select the Affinity Group defined in the Getting Started steps from the Prerequisites section above.
     
    - Connect to Existing DNS: Select XXXlabdns01 – the DNS Server registered in Exercise 1 above.
     
  5. Click the CREATE A VIRTUAL NETWORK button.

Exercise 3: Deploy a New Windows Server 2012 VM in Windows Azure

In this exercise, you will provision a new Windows Azure VM to run a Windows Server 2012 on the Windows Azure Virtual Network provisioned in Exercise 2.

  1. Sign in at the Windows Azure Management Portal with the logon credentials used when you signed up for your Free 90-Day Windows Azure Trial.
     
  2. Select Virtual Machines located on the side navigation panel on the Windows Azure Management Portal page.
     
  3. Click the +NEW button located on the bottom navigation bar and select Compute | Virtual Machines | From Gallery.
     
  4. In the Virtual Machine Operating System Selection list, select Windows Server 2012 Datacenter and click the Next button.
     
  5. On the Virtual Machine Configuration page, complete the fields as follows:
     
    Version Release Date:  Select the most recent release date
     
    Virtual Machine Name: XXXlabad01 ( where XXX is replaced with your unique initials )
     
    Size:  Small (1 core, 1.75GB Memory)
     
    New User Name:  XXXAdmin ( where XXX is replaced with your unique initials )
     
    New Password and Confirm Password fields: Choose and confirm a new local Administrator password. 
     
    Click the Next button to continue.
     
    Note: It is suggested to use secure passwords for Administrator users and service accounts, as Windows Azure virtual machines could be accessible from the Internet knowing just their DNS.  You can also read this document on the Microsoft Security website that will help you select a secure password: https://www.microsoft.com/security/online-privacy/passwords-create.aspx.
     
  6. On the Virtual Machine Mode page, complete the fields as follows:
     
    - Standalone Virtual Machine: Selected
     
    - DNS Name: XXXlabad01.cloudapp.net
     
    - Storage Account: Select the Storage Account defined in the Getting Started steps from the Prerequisites section above.
     
    - Region/Affinity Group/Virtual Network: Select XXXlabnet01 – the Virtual Network defined in Exercise 2 above.
     
    - Virtual Network Subnets: Select Subnet-1 (10.0.0.0/23)
     
    Click the Next button to continue.
     
  7. On the Virtual Machine Options page, click the Checkmark button to begin provisioning the new virtual machine.
     
    As the new virtual machine is being provisioned, you will see the Status column on the Virtual Machines page of the Windows Azure Management Portal cycle through several values including Stopped, Stopped (Provisioning), and Running (Provisioning) .  When provisioning for this new Virtual Machine is completed, the Status column will display a value of Running and you may continue with the next exercise in this guide.
     
  8. After the new virtual machine has finished provisioning, click on the name ( XXXlabad01 ) of the new Virtual Machine displayed on the Virtual Machines page of the Windows Azure Management Portal to open the Virtual Machine Details Page for XXXlabad01.

Exercise 4: Configure a Windows Server Active Directory Forest in a Windows Azure VM

In this exercise, you will install and configure a new Windows Server 2012 Active Directory Forest on the VM deployed in Exercise 3.

  1. On the Virtual Machine Details Page for XXXlabad01, click on the Dashboard tab on the top navigation bar.  Make note of the Internal IP Address displayed in the Quick Glance section on this page.  This IP address should be listed as 10.0.0.4
     
    If a different internal IP address is displayed, the virtual network and/or virtual machine configuration was not completed correctly.  In this case, click the DELETE button located on the bottom toolbar of the virtual machine details page for XXXlabad01, and go back to Exercise 2 and Exercise 3 to confirm that all steps were completed correctly.
     
  2. On the virtual machine details page for XXXlabad01, click the Attach button located on the bottom navigation toolbar and select Attach Empty Disk.  Complete the following fields on the Attach an empty disk to the virtual machine form:
     
    - Name: XXXlabad01-data01
     
    - Size: 10 GB
     
    - Host Cache Preference: None
     
    Click the Checkmark button to create and attach the a new virtual hard disk to virtual machine XXXlabad01.
     
  3. On the virtual machine details page for XXXlabad01, click the Connect button located on the bottom navigation toolbar and click the Open button to launch a Remote Desktop Connection to the console of this virtual machine.  Logon at the console of your virtual machine with the local Administrator credentials defined in Exercise 3 above.
     
    Wait for the Server Manager tool to launch before continuing with the next step.
     
  4. In the Server Manager window, format the disk attached in Step 2 above by launching the Computer Management tool from the Tools menu located on the top navigation bar.
     
    1. In the Computer Management window, click on Disk Management in the left navigation pane.
       
    2. When prompted with the Initialize Disk dialog box, click the OK button to continue.
       
    3. Right-click on the unallocated disk space on Disk 2 and select New Simple Volume… from the pop-up menu.
       
    4. In the New Simple Volume Wizard, click the Next button on each page to accept all default values. 
       
    5. Click the Finish button on the last page of the wizard to create a new F: volume.
       
    6. When the new volume has finished the formatting process, close the Computer Management window.
       
  5. In the Server Manager window, install Active Directory Domain Services by launching the Add Roles and Features wizard from the Manage menu located on the top navigation bar.
     
    1. In the Add Roles and Feature Wizard dialog box, click the Next button three times to advance to the list of Roles to install.
       
    2. In the list of roles, check the checkbox for the Active Directory Domain Services role.  When prompted to add additional features, click the Add Features button.
       
    3. Click the Next button until you advance to the Confirm installation selections page of the wizard.  Click the Install button to begin the installation process.
       
    4. When the installation of Active Directory Domain Services has completed, do not click the Close button.  Instead, click the link titled Promote this server to a domain controller.  
       
      This will launch the Active Directory Domain Services Configuration Wizard.
       
    5. In the Active Directory Domain Services Configuration Wizard dialog box, select the deployment operation for Add a new forest.
       
    6. In the Root domain name: field, enter contoso.comas the name of the root domain in the new Active Directory forest.  Click the Next button.
       
    7. On the Domain Controller Options page of the wizard, enter and confirm a recovery password in the Directory Services Restore Mode (DSRM) password fields.  Click the Next button.
       
    8. On the DNS Options page of the wizard, ignore the warning message and click the Next button to continue.
       
    9. On the Additional Options page of the wizard, accept the default value for NetBIOS domain name and click the Next button.
       
    10. On the Paths page of the wizard, change the Database folder, Log files folder and SYSVOL folder paths to begin with F: instead of C:. Click the Next button.
       
    11. On the Review Options page, click the View Script button.  A PowerShell script snippet will be displayed in a Notepad window.  This snippet includes the cmdlets needed to Install a new Active Directory forest via PowerShell with the options selected in the wizard.  Save this snippet to your Documents folder for future reference as a file named PSSnippet-Install-ADDSForest.ps1 and close the Notepad window.
       
    12. On the Review Options page, click the Next button.
       
    13. On the Prerequisites Check page, ignore the warnings displayed and click the Install button.  The warnings displayed are due to the dynamic IP addressing used within Windows Azure Virtual Networks and do not apply to this cloud environment.
       
      The Active Directory Domain Services configuration process will be begin for the new AD Forest.
       
      When the Active Directory configuration process is complete, the server will automatically restart.

Exercise 5: Export / Import Lab Virtual Machines

Our Windows Server 2012 Active Directory Forest VM is now functional in our cloud-based lab, but if you’re like me, you may not be using this lab VM 24x7 around-the-clock.  As long as a virtual machine is provisioned, it will continue to accumulate compute hours against your Free 90-Day Windows Azure Trial account regardless of virtual machine state – even in a shutdown state!

To save our compute hours for productive study time, we can leverage the Windows Azure PowerShell module to automate export and import tasks to de-provision our virtual machine when not in use and re-provision our virtual machine when it is needed again. 

In this exercise, we’ll step through using Windows PowerShell to automate:

  • De-provisioning lab virtual machines when not in use
  • Re-provisioning lab virtual machines when needed again. 

Once you’ve configured the PowerShell snippets below, you’ll be able to spin up your cloud-based lab environment when needed in just a few minutes!

Note: Prior to beginning this exercise, please ensure that you’ve downloaded, installed and configured the Windows Azure PowerShell module as outlined in the Getting Started article listed in the Prerequisite section of this step-by-step guide.  For a step-by-step walkthrough of configuring PowerShell support for Azure, see Setting Up Management by Brian Lewis, one of my peer IT Pro Technical Evangelists.

  1. De-provision the lab. Use the Stop-AzureVM and Export-AzureVM cmdlets in the PowerShell snippet below to shutdown and export lab VMs when they are not being used.  
     

    # Specify the Name of the VM to Export
    $myVM = "XXXlabad01"

    # Stop the VM prior to exporting it
    Stop-AzureVM -ServiceName $myVM -Name $myVM


    # Set the Export folder path for the VM configuration file. Make sure this folder exists!
    $ExportPath = "C:\ExportVMs\ExportAzureVM-$myVM.xml"

    # Export the VM to a file
    Export-AzureVM -ServiceName $myVM -name $myVM -Path $ExportPath

    # After you've confirmed that the Export file exists, delete the VM
    Remove-AzureVM -ServiceName $myVM -name $myVM

     

  2. Re-provision the lab. Use the Import-AzureVM and Start-AzureVM cmdlets in the PowerShell snippet below to import and start lab VMs when needed again.
     

    # Specify the Name of the VM to Import $myVM = “XXXlabad01"

    # Specify the Name of the Virtual Network on which to Import the VM

    $myVNet = "XXXlabnet01"
    # Specify the Import Path of the VM’s exported configuration file.
    $ImportPath = "C:\ExportVMs\ExportAzureVM-$myVM.xml"

    # Specify the Windows Azure Storage Account to be used.
    $myStorageAccount = "XXXlabstor01"

    Get-AzureSubscription | Set-AzureSubscription -CurrentStorageAccount $myStorageAccount

    # Import the VM to Windows Azure
    Import-AzureVM -Path $ImportPath | New-AzureVM -ServiceName $myVM -VNetName $myVNet

    # Start the VM
    Start-AzureVM -ServiceName $myVM -name $myVM

Completed! What’s Next?

The installation and configuration of a new Windows Server 2012 Active Directory Forest running on Windows Azure is now complete.  To continue your learning about Windows Server 2012, explore these other great resources:

  • Join the Windows Server 2012 “Early Experts” Challenge study group to learn more about Windows Server 2012! and prepare for MCSA Certification!
     
  • Learn more about Windows Azure Virtual Machines and Virtual Networks with this FREE Online Training!
     
  • Complete the other Hands-On Labs in the "Early Experts" Cloud Quest to request your certificate of completion ... Become our next "Early Expert"!

How are you using Windows Azure Virtual Machines and Virtual Networks?

Do you have an interesting or unique scenario that you are evaluating on the Windows Azure cloud platform?  Feel free to leave your comments, feedback and ideas below to share across our IT Pro community!

Comments

  • Anonymous
    January 01, 2003
    Hi Keith, fantastic stuff this, many thanks. Just a quick questions when I run the PS script to stop/ de-provision the VMs I see: PS D:data> .StopAzure.ps1 VERBOSE: 19:08:59 - Begin Operation: Get Deployment VERBOSE: 19:09:00 - Completed Operation: Get Deployment Confirm The specified virtual machine is the last virtual machine in this deployment. Continuing will result in a new IP address for your deployment. To shut down without losing the deployment IP use -StayProvisioned. [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): I assume I just hit ENTER at this point? Also, if you get a couple of secs might be an idea to just include screenshots of what happens when you run the export/ de-provision script and the import one (and a note to check under the "VIRTUAL MACHINES" node in the Azure portal that the VM has actually be deleted after running the export and re-created after running the import). Off next to use your ConfigMgr 2012 article to install R2 ;-)

  • Anonymous
    January 01, 2003
    Hi MF, The bottom of the Azure Management Portal has an "information" button that can be used to further diagnose the issue. Hope this helps! Keith

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Thanks ,Nice idea to think

  • Anonymous
    January 01, 2003
    Hi Guertd, Can you confirm the names of your VNet and Storage Account?  In the step-by-step guide, you were instructed to use "01" at the end of those names, but I don't see those values listed that way in your code snippet above. If you continue to have issues, please send me your email address at http://aka.ms/AskKeith so that we can exchange a copy of the exported XML file to review. Thanks! Keith

  • Anonymous
    January 01, 2003
    Hi Cliff, Thanks so much for your feedback! Yes - you are correct.  You can just press Enter when prompted.   This is actually a new prompt introduced after the June updates to Windows Azure for handling VM shutdowns.  You can get the details on the different ways that VM's can be shutdown and the results/impact at the link below: blogs.technet.com/.../windows-azure-virtual-machines-there-s-more-than-1-way-to-shutdown-a-vm.aspx I'll also be sure to take your suggestions on PowerShell screenshots into account when running the code when I next update this article.  I've taken this approach for some of my newer PowerShell on Windows Azure articles, such as the following article on Getting Started with PowerShell & Windows Azure: blogs.technet.com/.../weekend-scripter-getting-started-with-windows-azure-and-powershell.aspx Best regards, Keith

  • Anonymous
    March 04, 2013
    I am getting an error on Step 3. "Failed to create virtual machine XXXlabad01" and no more details. Is there any way to troubleshoot this? Thank you.

  • Anonymous
    March 07, 2013
    Hi Keith, I am getting an RDP error between Step 4.2 and Step 4.3

  • Anonymous
    June 18, 2013
    Great article.  I am getting my feet wet in Azure cloud and this gave me initial base. Thanks KeithMayer.

  • Anonymous
    August 14, 2013
    Thanks a million. Superb guidelines! I wish others write guidelines as helpful

  • Anonymous
    August 15, 2013
    I'm getting an vague error with the import and creation at step 5.2

  • Anonymous
    August 16, 2013
    The comment has been removed

  • Anonymous
    January 10, 2014
    Windows Azure Active Directory ( WAAD ), a cloud-friendly REST-based implementation of Active Directory for identity management of cloud applications, is now generally available for production cloud apps as a FREE service. WAAD provides consistent centralized

  • Anonymous
    February 07, 2014
    Managing user credentials and application access is becoming more-and-more difficult to manage in today's "cloud era". In addition to managing access to traditional on-premises applications, we're also faced with managing access to numerous

  • Anonymous
    July 22, 2014
    Quick answer - kind of Long answer - read below WE ALL AGREE THAT WE HAVE TWO VERSIONS OF AD HERE Azure

  • Anonymous
    March 13, 2016
    Nice blog