Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. At the core of Windows AD DS is the domain controller. The domain controller provides login services, group policies, domain naming services (DNS), and other identity management services for users and computers in a domain along with other enterprise management services.
In this course, we start by reviewing the Windows AD DS environment including forests and domains. Then we review considerations for deploying domain controllers in a virtualized environment, on-premises, and in Azure. Next, we look at use cases for deploying read-only domain controllers at locations where physical security cannot be guaranteed. Lastly, we examine flexible single master operations roles and how to locate and move them to support troubleshooting efforts.
Learning Objectives
- Deploy and manage domain controllers on-premises
- Deploy and manage domain controllers in Azure
- Deploy read-only domain controllers (RODCs)
- View, manage, and troubleshoot flexible single master operations (FSMO) roles
Intended Audience
- System administrators with responsibilities for managing hybrid identities
- Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
- Anyone preparing for the Azure AZ-800 Administering Windows Server Hybrid Core Infrastructure exam
Prerequisites
- A basic understanding of deploying and managing Microsoft Windows servers
- Windows Server installation media and an environment to run Windows Server (trial available at https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022)
In this demo, we create a new domain controller in Azure. There are a couple of things needed to get started. First, access to an Azure subscription with rights to add resources to the subscription is required to follow along. Microsoft offers a subscription with a 30 day credit and some free services. The amount of credit depends on location. Also, either an existing virtual network has to be available or we can create a new virtual network in Azure when we deploy the VM. A virtual network acts like a routing switch providing network connectivity for resources in Azure.
We'll create a new virtual network with the VM in the example coming up, we need a local admin account for the VM. In HyperV this was the administrator account. When we deploy a VM in Azure, we can't use admin or administrator as an account name because it's a reserved name. The local admin account will end up being the enterprise and domain admin account, so consider that when configuring the name. Please join me in the Azure portal to get started. Here we are in the Azure portal, let's start by creating a new VM resource. If you don't see Virtual Machine in the list, search for virtual machines. Open Virtual Machines and create.
We'll create a new resource group for this VM. Give it a name, DemoDCRG for this example. Give the virtual machine a name, AzureDC1 for this example. Select a region to deploy the VM to, this example will use Central US. If you plan to deploy more than one domain controller in the region, select an availability zone or create an availability set. We can't add a VM to an availability set once it's deployed. We'll leave it set to no redundancy for this example. Go to image and select Windows Server 2019 or 2022 datacenter. Select the size for the VM, D2s_v3 will work for this example. Add a local administrator account admin ACT for this example. This account will eventually be the domain and enterprise admin account. Keep that in mind when you're creating it.
Provide a password for the account and leave the inbound ports rules, this will give us access to log into the server. Go to discs, leave the OS disk as is and go to data disks. Create and attach a new disk, managed disks are billed by the amount allocated not used. Let's change the size to something a little smaller. We'll change it to 128 gigs. Note that this will impact the IOPS and throughput performance of the disk. Click 'Okay' to go back to create a virtual machine. Notice host caching is set to read-only, change it to none for the active directory data drive. Go to networking. We'll leave the network as is, this creates a new VNet.
Update the subnet as needed or select an existing virtual network. We'll leave the rest to set to default, go to Review and Create. Once validation passes, click 'Create'. This will take some time to finish, we'll pause here until it's done. It finished and now our VM is deployed. Before we log on, let's set the static IP address. Go to the resource group. This lists all the resources we just created. Go to the Network Interface. This is the virtual network interface or the VM. From here, go to IP configurations.
Open the IP configuration. The public IP addresses associated with a public IP resource. Notice that under a private IP address settings it's set to dynamic. Change that to static. Now, we have the option to update the private IP address, we'll leave it as is for this example. Click 'Save' that creates a static DHCP entry for the server. Make a note of the IP address, we'll need that shortly. Next, we'll update the virtual network to use the domain controller for DNS. This way, if we add clients to the network, they can join the domain.
Go back to the resource group. Go to virtual network. From virtual network go to DNS servers. The default settings are for the Azure external DNS servers, change it to custom and we'll add the domain controller IP address. Click 'Save' and go back to the resource group. Go to the virtual machine. We'll connect to the virtual machine and log in next, we can do that by using the RDP client directly to the public IP address or go to connect at the top of the screen RDP. From RDP select Download RDP file. We can open that file and use that to connect to the new server, enter the username and password used to create the server. That will log us into the new VM.
Once we've logged in, go to disk management to configure the data disk. We get a prompt to initialize the disk, walk through the steps to configure the disk next. Scroll down to view our new disc and create a new volume. Leave the drive letter to F. Let's change the volume label to DataDrive, and we'll format it with NTFS. Notice the D drive is labeled as temporary storage. If we go into file explorer, here we have temporary storage in the D drive as well as our Data drive or F drive. Open up the temporary storage, there's a text file warning about data loss in the D drive. We don't want to use this drive for our Active directory data. We can close that out. Now the server is ready for Active Directory Domain Services.
The following steps are the same as deploying the domain controller in HyperV. Start by going to server manager. Go to 'Manage' add roles and features. Click 'Next' to server roles. Select Active Directory Domain Services, add all the features. Click 'Next' to confirmation and install the services. Let's pause here until it finishes installing the roles. That's done, we can now close this and view the new warning message in the server manager. We'll promote the server to a domain controller. This is the first domain in the forest, select 'Add New Forest' supplier domain name, this example use the same domain name as the last example edinalab.local.
Next, we'll add a domain recovery password, keep this password in a safe place, it is required to restore the domain. This is the first DNS zone, so there's no parent zone. Click 'Next' click 'Next' at the NetBIOS name, update the paths for our data drive, F drive for this example. Click 'Next' to prerequisite checks. We'll get some warnings like before, one of them indicates we need a static IP address for DNS, that can be ignored because we have a static IP address set in Azure for this VM. Click 'Install' once finished. We'll pause here again until the install finishes and the VM is restarted.
The reboot will drop the RDP connection, so you'll have to log in again with that same RDP connection, and the initial login after promoting the server to a domain controller may take a couple of minutes. Here we are logged in after the VM has restarted. Server manager shows we have Active Directory Domain Services and DNS. Let's go to Active directory users and computers next. Go to the users in the domain and open up the admin account we used to create the server. Go to member of, it shows it's a member of the domain and enterprise admin account. That's how to deploy a domain controller in Azure. Let's shut down the VM from the OS next.
Now, if we go back to the VM in Azure, it shows stopped, but it's not the allocated. We can deallocate a VM in Azure by clicking 'Stop' from the portal, but it goes against best practices to deallocate a domain controller in Azure. We can click 'Start' to start the VM. There is a charge accumulating for this VM. If you'd like to remove the VM to stop the charges, the simplest way to do so is by going to the resource group and delete the resource group. This will remove the resource group and everything in it. If it's no longer needed, enter the resource group name to confirm the delete and click 'Delete'. That will remove all the resources and stop the charges.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.