Azure Active Directory Labs Series – Creating an AD Forest
Solution ·Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds. I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.
In that training there were 8 labs and I thought it would be great to share them to the more general public. The labs follow each other and build on each other.
You can find the exhaustive list in Cloud Identity & Azure Active Directory page. This is the fifth lab.
In the current lab we configure a Virtual Machine (VM) with an Active Directory forest (on premise AD). This lab is a preparation to the next lab where we’ll synchronize that forest with the Azure AD tenant we’ve created before.
Run Template
- Go to https://azure.microsoft.com/en-us/documentation/templates/active-directory-new-domain-ha-2-dc/
This is a community based ARM template for creating an AD forest on Azure VMs. - Fill in the template parameters
- NEWSTORAGEACCOUNTNAME should be a unique name (storage account name)
- ADMINUSERNAME can be changed to your favorite admin name ; that’s the name of the admin on the VM
- ADMINPASSWORD should be a secret password
- ADVMSIZE should be Standard_A1
- DOMAINNAME should be dm.demo.com
- DNSPREFIX should be unique, for instance demo-42
- Accept the parameters
- Create a new resource group named DCs
- Chose the East-US 2 location
- Read & agree to legal terms (you do this by clicking Purchase but the template itself is free, you only pay for the Azure resources it creates)
- Click Create
Install AD DS MMC snap in
- RDP into the adBDC VM
- Validate that for that VM the RDP should be on port 13389 ; this is done by the load balancer NATing 2 VMs RDP on the same IP
- Server Manager application should be opened
- Right click on ADBDC and select Add Roles and Features
- Click next on each tab until Features
- Scroll down to Remote Server Administration Tools
- Open the node and dig until you find AD DS Tools ; make sure you have it selected
- Click Next
- Click install
- You’ll need to reboot
Add a few users
- Server Manager application should be opened
- Right click on ADBDC and Active Directory Users and Computers should now be available ; select it
- Under the dm.demo.com domain, select the Users folder
- Right-click the Users folder
- Select the New contextual menu option and the User sub menu option
- Fill the form with the following fields
First Name: Pietro
Initials: D
Last Name: Maximoff
Full Name: Pietro D. Maximoff (should be filled automatically)
User logon name: pmaximoff - Click Next
- Enter the following password and repeat it in the Confirm password field: Abc123!@#
- Unselect User must change password at next logon
- Select Password never expires
- Click Next
- Click Finish
- Repeat the steps for another user (use the same password):
First Name: Max
Initials: (none)
Last Name: Eisenhardt
Full Name: Max Eisenhardt (should be filled automatically)
User logon name: meisenhardt - Repeat the steps for another user (use the same password):
First Name: Steve
Initials: (none)
Last Name: Rogers
Full Name: Steve Rogers (should be filled automatically)
User logon name: srogers - You should see the users you created in the object list
Add a few groups
- Right-click the Users folder
- Select the New contextual menu option and the Group sub menu option
- Enter Goodies in the Group name box
- Click Ok
- Perform the same sequence for a group named Baddies
Add a Sync User
We will add a user to connect to the directory for syncing with Azure AD
- Right-click the Users folder
- Select the New contextual menu option and the User sub menu option
- Fill the form with the following fields
- First Name: Sync
- Initials: (None)
- Last Name: Account
- Full Name: Sync Account (should be filled automatically)
- User logon name: syncaccount
- Click Next
- Enter the following password and repeat it in the Confirm password field: Abc123!@#
- Unselect User must change password at next logon
- Select Password never expires
- Click Next
- Click Finish
- In the object list, find Enterprise Admins & double-click on it
- Select the Members tab
- Click the Add button
- Type Sync Account in the text box & click the Check Names button ; the user account you just created should be resolved
- Click OK to accept the account
- Click OK to accept the modification to members
- The Sync Account now is a member of the Enterprise Admins, which is a prerequisite for AD Connect
Post Lab
Make sure you find all the objects you created in the object list.