Azure AD Connect – Setup a Test AD

This post is part of a series, for the series contents see:
https://irankon.wordpress.com/post-lists/azure-ad-connect/

There’s no point setting up Azure AD Connect if I haven’t even got a directory to synch up to Azure, so that’s step one.

This series of posts will make use of the VMs I’ve already setup as part of the Azure IaaS Lab posts:

  1. ad-vm
  2. aadconnect-vm

NTDS Disk Setup

First up, when I created ad-vm earlier I didn’t give it a data disk so I need to do that now so that I have somewhere for my AD NTDS files etc. to live.

If you were doing this on-premise you might simply ignore best practices and stick everything on your C: drive, but if you do that on a Azure IaaS VM you’ll soon run into some corruption issues.  Microsoft have published some helpful guidelines for setting up AD on an IaaS box and the key bits are:

  • Make sure you’ve got a reserved/static IP address (I already did this when setting up ad-vm)
  • Make sure you add a separate data disk for your NTDS files.  The caching setting on this disk should also be set to “None” (the default is Read/Write).

To add a data disk I used this code:

##############
# The Basics #
##############

#Login to Azure and resource manager
Add-AzureAccount
Login-AzureRmAccount

#Just in case you have multiple subscriptions check which one you're working in
Get-AzureSubscription

#If you need to select your test subscription use:
#Set-AzureSubscription -SubscriptionName <name>

#############################
# Add an NTDS Disk to AD-VM #
#############################

#First setup the variables
$RGName = "internal-rg"
$VMName = "ad-vm"
$NTDSDiskName = $VMName + "NTDSDisk"
$StorageAccount = Get-AzureRmStorageAccount -ResourceGroupName $RGName -Name internalvmstr
$NTDSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $NTDSDiskName + ".vhd"

#Add an NTDS disk to the VM
$vm = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName

Add-AzureRmVMDataDisk -VM $vm `
 -Name $NTDSDiskName `
 -VhdUri $NTDSDiskUri `
 -LUN 0 `
 -Caching None `
 -DiskSizeinGB 10 `
 -CreateOption Empty

Update-AzureRmVM -ResourceGroupName $RGName -VM $vm

Install and Setup AD DS

The PowerShell for the next few steps is all run directly on ad-vm itself.  I suppose, technically, you could get a remote PS session setup to ad-vm and run these commands using “Invoke-Command” but for something as one-off as this I didn’t really see the need to go to all that hassle.

If you fancy giving it a go, there’s a good blog post here with some instructions for setting up WinRM.

In the previous section we added a data disk to ad-vm to host our NTDS files, well before I can do that I need to configure that disk in Windows:

#Within Windows setup the NTDS disk we've added to AD-VM
Get-Disk | `
Where-Object PartitionStyle -eq "RAW" | `
Initialize-Disk -PartitionStyle GPT -PassThru | `
New-Partition -AssignDriveLetter -UseMaximumSize | `
Format-Volume -FileSystem NTFS `
-NewFileSystemLabel "NTDS" `
-Confirm:$false

Because of the various extra scratch disks that exist on an IaaS VM this new disk will end up as an “F:” drive.

With that in place, all that is left is to install the AD DS role and setup a new forest.  You might want to populate your own domain details below or you’ll run into problems later when we setup AAD Connect.

#Still on the ad-vm
#Install AD DS
Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools

#You might be prompted to reboot here but you don't have to

#Setup AD DS
Import-Module ADDSDeployment
Install-ADDSForest `
 -CreateDnsDelegation:$false `
 -DatabasePath "F:\NTDS" `
 -DomainMode "Win2012R2" `
 -DomainName "irankon.tk" `
 -DomainNetbiosName "irankon" `
 -ForestMode "Win2012R2" `
 -InstallDns:$true `
 -LogPath "F:\NTDS" `
 -NoRebootOnCompletion:$false `
 -SysvolPath "F:\SYSVOL" `
 -Force:$true

#Enter a recovery password when prompted

At the end of the process you’ll be prompted to enter a directory services restore mode password, so type something in there and then give the box a final reboot.

Of course, if you were doing this using “Invoke-Command” and you wanted to pre-populate the password you can simply use the “-SafeModeAdministratorPassword” switch with a SecureString value.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: