Step-by-Step: Extending Windows Server 2012 Active Directory into the Cloud - Part 2

Step-by-Step: Extending Windows Server 2012 Active Directory into the Cloud - Part 2

  • Comments 1
  • Likes

Hello Folks,

On October second, I wrote about Deploying Active Directory to Azure.  However, after re-reading it i realized it was heavy on getting the Point-to-Site VPN going and light on the actual AD deployment part.  Let me fix that right now.

In this article we’re going to go over the AD part in great details.

Before we start.  I recommend you setup your own lab and try this for yourselves.  If you’re anything like me you learn by doing it, getting your hand dirty and getting down to brass tax.

  1. Download Windows Server 2012 or Windows Server 2012 R2 Preview
  2. Use the info in this  post to setup your own lab
  3. consume the following MVA modules (they’re full of great info you can access at your convenience.)

1- All right, we have our site-to-site VPN to Azure, the first thing we need to do is define this new network as a new site within AD.  In the Active Directory Sites and Services right-click the top level Site container on the left pane and click New, Site.

image

2- in the New Object – Site dialogue box, we’re entering a meaningful name, that will define the new site.  in our case, Lab-Azr and click OK.

image

3- In the Subnet container, we will define the subnets we have created in our virtual network on Azure.

  • 10.10.1.0/24
  • 10.10.2.0/24

and link both of those to the Lab-Azr site we created in step 2.

image

4- To speed up the process we created a Windows Server 2012 server from the gallery in Azure.

  image

5- We gave it the AZR_DC2 name and gave it some credential that will be use until we join it to the domain.

image

6- In the machine configuration, ensure that the virtual network subnet is pointing to one of the ones we assigned to the Lab-Azr AD site in step 3.

image

7- The Azure endpoints are left as defaults and click the check mark in the lower right corner to start the provisioning process.

image

The machine will be created and started (it took about 10 minutes on our end.)

image

8- Once the machine is created, on the virtual machine details page for AZR-DC2, click the Attach button located on the bottom navigation toolbar and select Attach Empty Disk.

image

9- Complete the following fields on the Attach an empty disk to the virtual machine form:

- Name: AZR-DC2-Data1
- Size: 10 GB
- Host Cache Preference: None

image

  

10- Once the disk is attached, and click the Connect button at the bottom of the Portal page,  image  and access the server we just created using Remote Desktop.

Once logged on, create a new partition on the additional data disk we attached earlier and format this partition as a new F: NTFS volume.  This volume will be used for our NTDS DIT database, log and SYSVOL folder locations.

image

11- Using the Server Manager tool, install Active Directory Domain Services and promote this server to the newly created machine and promote it as a new Dc in an existing Active Directory domain with the following parameters:
- Active Directory domain name: DNS name of on-premise Active Directory domain. in our case Contoso.com 
- Active Directory site name: LabAzr  

image

12- when asked to specify the AD DS database, log files and SYSVOL, point them to the F: drive as shown below.

image

13- The machine will be promoted and once rebooted will appear in our AD, as view below on premise, on DC1.

image

14- In order to be able to manage it using our Server Manger on premise, logon to the AZR-DC2 machine and ensure that Remote Management is enabled in server manager.   

image

15- All there is left to do at this point is to add it to our console on the server we use to manage our environment.  For me that would be the DC1 machine in my lab.

image

Now that we have clearly demonstrated how to extend our network and our AD to Azure, we can start using it for other workloads such as VM failovers, file replications, rapid deployment of application servers to support the business units and allow all of it to identify and authenticate our users and service accounts.

we will cover some of these workloads in the following weeks.  Feel free to leave a comment if there is a particular workload you want us to look at.

Cheers!

clip_image011

Pierre Roman | Technology Evangelist
Twitter | Facebook | LinkedIn

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment