Microsoft Azure is a growing collection of integrated cloud services which are available as Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and Software as a Service (SaaS). In this article, we will see how we can spin up a Windows Server in Azure and use it as a Domain Controller for all the VMs that are part of a Virtual Network.
A Domain Controller is a Server that is running a version of the Windows Server operating system and has Active Directory Domain Services installed. When we install Windows Server on Azure Virtual Machine, we can choose to configure a specific Server role for that VM. When we want to create a new forest, a new domain, or an additional domain Controller in an existing domain, we configure the Server with the role of domain controller by installing AD DS.
Before we can create a Windows Server VM that will act as a Domain Controller, we will create an Azure Virtual Network that will hold all the VMs together within the Domain that we are going to create.
Create an Azure Virtual Network
Once we log into Azure Management Portal, select the Networks tab from the left pane. Since there are currently no active Virtual Networks, let’s create a new one. We can either click on ‘Create A Virtual Network’ or on the New button.
If we click on ‘New’, below dialog opens up. Select ‘Virtual Network’ and click on ‘Custom Create’.
This will open up the below page where we can specify the Virtual Network Name and Location of the network.
We can either add DNS Server to the Virtual Network or leave it blank. For the time being we will leave it as it is and add the entry at later point after configuring Active Directory Domain Controller in one the VMs. Click on the Next arrow.
On clicking the next arrow, a page where can specify the subnets becomes available. This gives the option to divide the virtual network into multiple subnets. Thus within the virtual network, based on IP address, we can create isolation levels. However we will keep the default settings and maintain a single subnet. Click on Next arrow.
This will start the provisioning of the Virtual Network named ‘Azure-SharePoint 2016 Virtual Network’. Once created, it will be available in the Networks tab as shown below.
Active Directory Domain Controller VM Creation and Configuration
Once the Virtual network is created, let’s create the Virtual Machines which will house Windows Server OS and promote it to the Active Directory Domain Controller Role.
Create AD VM
From the Virtual Machines Tab in the left pane, Click on ‘Create A Virtual Machine’ or click on the ‘New’ button.
Select ‘Virtual Machine’ and click on ‘From Gallery’.
Select the Windows Server Essentials Experience image that contains a preinstalled copy of Windows Server 2012 R2. Click on Next arrow.
Let’s specify the VM Name as VM01-AzureAD and select the resource size as A2. It offers dual core and 3.5GB of RAM. Specify the user name and password for the account which will act as the Administrator for the created VM. I have added the user name as ‘AzureADAdmin’. Ensure that you note down the credentials. This will be frequently used when we have to add other VMs to the domain. ‘AzureADAdmin’ will essentially act as the Domain Administrator for the entire farm. We can add other users to this role by adding them to the group ‘Domain Administrators’ in the VM: VM01-AzureAD.
The cloud service name will be carried over from the VM name. It can be changed if needed. We have kept it as it is.
An important change to make here is the Region/Virtual Network field. By default region value will be listed in the field. Make sure we change it to the Virtual Network that we had created earlier. This will ensure that the VM is created within the Virtual Network. If we miss this out, then getting the VM into the Virtual Network after VM creation is a tedious task.
Once the Virtual Network is selected, click on the Next arrow.
Click on the Finish arrow to start the provisioning of the VM.
Once the VM is created it will be listed in the Virtual Machines list.
Ensure that it is in running state. After the VM is created we have to assign it a static IP address using Azure PowerShell. We can download Microsoft Azure PowerShell from here.
Assign Static IP to the AD VM
Once Microsoft Azure PowerShell is installed, open it as administrator. Add the below command to the command line to connect to Azure Account.
Add-AzureAccount
This will open up a pop up where we can add the Azure account credentials. Click on ‘Sign In’ after entering the azure credentials.
If it successfully authenticates the user, it will show the user Id and Subscription Id as shown above. Run the below command to get all the subscription details of the logged in user. If there are multiple subscriptions we will have to select the specific subscription within which we had created the Virtual Network and the VM.
Get-AzureSubscription
This will get all the subscriptions of the user as shown below. Use the ‘Select-AzureSubscription’ to pick a specific subscription against which we will run the PowerShell cmdlet.
Select-AzureSubscription –SubscriptionId “Id of the subscription”
We can also pick the azure subscription by specifying the subscription name. However if there are two subscriptions with same name, it won’t work out. We will have to use subscription id in such a case.
Thus we have used PowerShell to connect to the User’s Azure account and to the specific subscription within which we have created the virtual network. Now let’s check the available IP addresses within the virtual network so that the VMs can be assigned a static IP. When the VM is created an IP will be assigned to it. However if we don’t assign a static IP using PowerShell, when the next VM is created the IP of the previously created VM may change. In order to avoid that, once the VM is created we will assign an available static IP to the VM so that it will be reserved for the VM throughout its lifetime.
Run the below script to get the available list of IPs within the virtual network.
Test-AzureStaticVnetIP –VnetName “Name of the Virtual Network” –IPAddress “Place Test IP here”
This will check if the Test IP is available to be assigned to a VM. If it is available it will return the “IsAvailable” parameter as True. If it is not available, it returns the available IPs as comma separated value in the parameter “AvailableAddresses”.
Now we know the available IP addresses within the virtual network. Let’s assign one of them to the previously created VM using the cmdlet:
Get-AzureVM -ServiceName "VM01-AzureAD" -Name "VM01-AzureAD"|Set-AzureStaticVNetIP -IPAddress 10.0.0.5 | Update-AzureVM
-ServiceName is the cloud service DNS Name specified during VM Creation.
-Name is the name of the VM
Add the cmdlet to Azure PowerShell command line.
Thus PowerShell script has successfully updated the VM’s static IP address. Let’s head over to the VM’s dashboard to see if it has been reflected.
As you can see above it has been updated in the dashboard as well.
Provision Active Directory Domain Services
Now let’s connect to the VM by clicking on the ‘Connect’ button available at the bottom tab. We have to log in to the VM and Configure the AD services.
When connecting to the remote desktop, user authentication will be checked. Make sure to use the ‘AzureAdAdmin’ account credential which was specified during the time of VM creation.
When logging into the VM, which will act as the Active Directory Domain Controller, we can see that, at present, only 3 Roles are assigned to the server. As we proceed we will add 2 more roles to the server.
- Active Directory Domain Service and
- Active Directory Domain Controller.
Let’s configure the first role – Active Directory Domain Service.
As the server starts up, Server Manager will be invoked and will be running by default. Click on ‘Add roles and features’ option in the Server Manager.
This will pop up the ‘Add Roles and Features Wizard’. Click on ‘Next’.
Select Roles-based or feature-based installation radio button and click on ‘Next’.
By default ‘Select a server from the server pool’ will be selected and the current VM will be highlighted. Click on ‘Next’.
Now we have to add the server role. Select the ‘Active Directory Domain Services’ check box. It will open up a pop up that contains the features that are required for Active Directory Domain Services. Click on ‘Add Features’ button.
Thus the Active Directory Domain Services role will be checked. Click on ‘Next’.
In this page you can add extra features that can be added to the server. Currently we are adding only a role and not adding any extra features. So Click on Next.
This is just an information screen about ADDS. Click on Next.
Thus we have come to the penultimate page that lists out the roles that will be added to the server. After confirmation, click on ‘Install’.
Installation of Active Directory Domain Services has started in the VM: VM01-AzureAD.
After some time the installation will reach completion. Click on Close button.
Thus we have completed the creation of Active Directory Domain Services.
Promote VM to Domain Controller
Now let’s head back to the server manager. In the right top corner a Yellow Warning Notification has come up. Click on it. It states that Configuration is required for Active Directory Domain Services at VM01-AzureAD. Click on ‘Promote this server to domain controller’. This will initiate the process of promoting the server to the domain controller role.
When we provisioned the server, there were only 3 Roles within the server. After the installation of Active Directory Services it has become 4. Now let’s add one more role: Active Directory Domain Controller. This will be added as we configure Active Directory Domain Services.
The Active Directory Domain Services configuration wizard has popped up. Select ‘Add a new forest’ radio button and add the root domain name. This will act as the domain name for the entire VMs within the virtual network. Chose a fully qualified domain name. Click on Next.
In this page add the Directory services restore mode password and keep it safe by noting it down. Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover an Active Directory database. Click on Next.
Proceed to the next page by clicking on Next.
Specify the NetBIOS domain name. When a new domain is created during the Active Directory installation procedure, the system provides a default NetBIOS domain name that matches the leftmost label in the DNS. In our case the system has created a NetBIOS Domain Name from AzureAD.Contoso.Com as “AZUREAD”. Make a note of this as it can be used instead of the full qualified domain name of AzureAD.Contoso.com. Moreover in some situations like configuring SharePoint Service Applications, when specifying managed accounts we will have to use ‘NetBIOSDomainName\ManagedUserName’ as the user name format.
Add the location for the database and log files or retain the default value. Click on Next.
This page gives the option to review the configuration for one final time before the installation.
The prerequisites are checked before the installation starts. Once the prerequisite check is passed we can click on install.
Thus the installation is completed and the server has been successfully configured as domain controller.
The system will be automatically restarted to enforce the updates.
Add DNS entry in Virtual Network
Now let’s add a DNS entry in the virtual networks page. Click on the Virtual Network we had created earlier.
Click on ‘Configure’ button.
In the configure page, we have the option to add the domain name we had created in the VM01-AzureAD VM which was AzureAD.Contoso.com. Also, add the corresponding IP of the VM, which we had assigned using PowerShell. Click on Save.
Now, the DNS entry has been successfully added to the virtual network.
This completes the configuration of Virtual Network and the Domain Controller.
Summary
Thus, we saw how to create and configure Active Directory Domain Controller in an Azure Windows Server.