Azure Active Directory Labs Series – Creating an AD Forest

Solution  · 

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the fifth lab.

In the current lab we configure a Virtual Machine (VM) with an Active Directory forest (on premise AD).  This lab is a preparation to the next lab where we’ll synchronize that forest with the Azure AD tenant we’ve created before.

Run Template

  1. Go to https://azure.microsoft.com/en-us/documentation/templates/active-directory-new-domain-ha-2-dc/
    This is a community based ARM template for creating an AD forest on Azure VMs.
  2. Fill in the template parameters
    • NEWSTORAGEACCOUNTNAME should be a unique name (storage account name)
    • ADMINUSERNAME can be changed to your favorite admin name ; that’s the name of the admin on the VM
    • ADMINPASSWORD should be a secret password
    • ADVMSIZE should be Standard_A1
    • DOMAINNAME should be dm.demo.com
    • DNSPREFIX should be unique, for instance demo-42
  3. Accept the parameters
  4. Create a new resource group named DCs
  5. Chose the East-US 2 location
  6. Read & agree to legal terms (you do this by clicking Purchase but the template itself is free, you only pay for the Azure resources it creates)
  7. Click Create

Install AD DS MMC snap in

  1. RDP into the adBDC VM
  2. Validate that for that VM the RDP should be on port 13389 ; this is done by the load balancer NATing 2 VMs RDP on the same IP
  3. Server Manager application should be opened
  4. Right click on ADBDC and select Add Roles and Features
    clip_image002
  5. Click next on each tab until Features
  6. Scroll down to Remote Server Administration Tools
  7. Open the node and dig until you find AD DS Tools ; make sure you have it selected
    clip_image004
  8. Click Next
  9. Click install
  10. You’ll need to reboot

Add a few users

  1. Server Manager application should be opened
  2. Right click on ADBDC and Active Directory Users and Computers should now be available ; select it
    clip_image006
  3. Under the dm.demo.com domain, select the Users folder
  4. Right-click the Users folder
  5. Select the New contextual menu option and the User sub menu option
    clip_image008
  6. Fill the form with the following fields
    First Name: Pietro
    Initials: D
    Last Name: Maximoff
    Full Name    : Pietro D. Maximoff (should be filled automatically)
    User logon name: pmaximoff
    clip_image010
  7. Click Next
  8. Enter the following password and repeat it in the Confirm password field: Abc123!@#
  9. Unselect User must change password at next logon
  10. Select Password never expires
    clip_image012
  11. Click Next
  12. Click Finish
  13. Repeat the steps for another user (use the same password):
    First Name: Max
    Initials: (none)
    Last Name: Eisenhardt
    Full Name    : Max Eisenhardt (should be filled automatically)
    User logon name: meisenhardt
  14. Repeat the steps for another user (use the same password):
    First Name: Steve
    Initials: (none)
    Last Name: Rogers
    Full Name    : Steve Rogers (should be filled automatically)
    User logon name: srogers
  15. You should see the users you created in the object list
    clip_image014

Add a few groups

  1. Right-click the Users folder
  2. Select the New contextual menu option and the Group sub menu option
    clip_image016
  3. Enter Goodies in the Group name box
  4. Click Ok
  5. Perform the same sequence for a group named Baddies

Add a Sync User

We will add a user to connect to the directory for syncing with Azure AD

  1. Right-click the Users folder
  2. Select the New contextual menu option and the User sub menu option
    clip_image017
  3. Fill the form with the following fields
    clip_image019
    • First Name: Sync
    • Initials: (None)
    • Last Name: Account
    • Full Name: Sync Account (should be filled automatically)
    • User logon name: syncaccount
  4. Click Next
  5. Enter the following password and repeat it in the Confirm password field: Abc123!@#
  6. Unselect User must change password at next logon
  7. Select Password never expires
    clip_image020
  8. Click Next
  9. Click Finish
  10. In the object list, find Enterprise Admins & double-click on it
  11. Select the Members tab
  12. Click the Add button
    clip_image022
  13. Type Sync Account in the text box & click the Check Names button ; the user account you just created should be resolved
    clip_image024
  14. Click OK to accept the account
  15. Click OK to accept the modification to members
  16. The Sync Account now is a member of the Enterprise Admins, which is a prerequisite for AD Connect

Post Lab

Make sure you find all the objects you created in the object list.

Leave a comment