Hello and welcome to my contribution for the Festive Tech Calendar. This community event is organised by the community for the community. This year they are raising money for Missing People. Check out the website to see all the participants from this year’s edition.
Identity and security are 2 of the most important things in your Azure environment and a domain controller is one of the basic components.
The easiest way to create a new forest or add a new domain controller to an existing forest, is through the gui. This requires access to the virtual machine through the Remote Desktop Protocol.
In this blogpost I’m going to show a way of doing the above without having to logon to the virtual machine. You should limit the access to your domain controller as much as possible. In this blogpost I’ll show you how to use the Run Command in the Azure portal.
If you want to learn more about this feature please check the official documentation via this link.
Important to know is that if you run a command that will prompt you (for example a password prompt), this feature can’t be used. You can always reference a Keyvault secret in the Powershell script to avoid this limitation.
Prerequisites
If you deploy a domain controller in Azure there are some best practices:
- 2 domain controllers per Azure Region split in 2 availability zones or availability set
- you can use server 2022 with the small disk sku of 64GB
- add another disk with 30GB with no caching
- I use F2s_v2 sku for the domain controllers
- both domain controllers in a different identity subnet with NSG in your hub virtual network
In this example I’m creating a new ADDS forest .
First of all, do not to forget to put the nic with a static ip address. If you don’t do this the output of the commands will tell you to assign a static ip. You shouldn’t assign a ip in side your virtual machine. In Azure you can assign a static ip in the ipconfig of your Network Interface Card.
Select the name of the ip configuration so you can put the ip config on static. Important to know is that although you set the ip config on the NIC as static the OS won’t see this. It will still say that you need to configure a static IP.
Now we are ready to run all the scripts on the server.
Go to the Azure portal and look up the virtual machine and look for Run command in the left blade in the operations section.
You now get the options what type of command you want to run. Select RunPowershellScript.
The first thing we need to do is to format the extra drive that is created to host the AD database.
Get-Disk | Where partitionstyle -eq 'raw' | Initialize-Disk -PartitionStyle MBR -PassThru | New-Partition -NewDriveLetter 'F' -UseMaximumSize | Format-Volume -FileSystem NTFS -NewFileSystemLabel 'Data' -Confirm:$false
The next powershell command to run it to install ADDS and DNS feature on the server
Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools
Install-windowsfeature -name DNS -IncludeManagementTools
After a while you will get the following output. Here you will also see the message from the static ip.
The next part is to promote the server to domain controller. For this blog I’ve put the password in plain text. To maximize security you would want to use an Azure Keyvault for the SafeModeAdministratorPassword.
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "F:\windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "corp.johanvanneuville.com" `
-DomainNetbiosName "CORP" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "F:\windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "F:\windows\SYSVOL" `
-SafeModeAdministratorPassword (ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force) `
-Force:$true
When the command is successful you will see the following output. Your new ADDS forest is now ready to be used.
This concludes this blog post about deploying a domain controller without an RDP connection. If you have any questions about this, feel free to contact me.