Microsoft Silver Partner

Microsoft Silver Partner

mobile-logo
14 Sep

Automate Active Directory deployment template/script for Azure

by Andrew Fitzgerald
in Azure
Comments

To setup Active Directory in Azure, use our automated deployment solution that fully sets up Active Directory in Azure.

 

Active Directory Solution Template Features

 

  • Choose to have between 2 to 50 DC VMs
  • Choose the name for the Domain, DCs, network objects & domain admin credentials
  • Choose the VM size for all DCs
  • Choose to deploy on Windows Server 2016 or 2019 for the OS Version
  • DNS is fully configured and updates the Azure vNet DNS server addresses
  • Provide group policies to your servers in Azure and on prem
  • Provide AD authentication services to your applications in Azure and any new VM deployments
  • Provide DNS name resolution to your servers and applications in Azure
  • Provide hybrid Active Directory for both Azure and onprem environments

 

Deploy Active Directory Domain IaaS in Azure

active directory template

Setup Active Directory Steps

 

The following fields are required to get the setup started via the Azure portal:

 

Step 1 – Active Directory domain admin credentials

 

The first step is to provide the domain admin user and password. This needs to be a complex password. Choose any region you like, then click onto ‘New Domain Deployment Details

Active-Directory-Domain-Admin

Step 2 – New Domain Deployment Details

 

  1. Choose which OS version you would like to setup (2019 or 2016)
  2. Choose the name of the domain you would like to setup.
  3. Choose how domain controllers you would like
  4. The name of the vNet that you would like to create. An existing vNet can’t be used, a new vNet has to be created, as DNS changes will be made to the vNet to point to the new domain controllers. You can choose the IP address range you  would like. Once deployment has completed you can then peer this vNet with existing vNets, allowing you connect to any existing networks you have setup.
  5. Leave the DC Subnet as default

domain-details(step2)

Step 3 DC VM Details

 

Next choose the DC VM host name prefix. Deciding on what prefix you use will then add a number at the end for each new VM that is created, for example for the default prefix of ADDC and if you have deployed 4 DCs they will be called:

 

  • ADDC-0
  • ADDC-1
  • ADDC-2
  • ADDC-3

 

Then select what VM size you would like for your domain controllers

DC-Configuration-step3

Step 4 – Review + Create

 

The last step will run a validation to make sure the details you have entered in the previous steps were correct. If happy, press create and wait for the deployment to finish

 

To see the status of the deployment, within the Resource Group you’ve deployed to, scroll to ‘Deployments‘ and you can see the status. In my deployment you can see it took 34mins to fully setup.

deployment-time

Active Directory Networking

 

The deployment creates a new vNet. If you have existing vNets you can peer this new vNet with your existing vNets, allowing you to connect the new domain controllers to your network. Within the new vNet click on peering and peer with your existing vNets:

vent-peering

 

Microsoft documentation on peering networks – https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal

 

 

RDP to Domain Controllers

 

The deployment of the domain controllers doesn’t create a public IP. If you have an internal vNet and peering the new AD vNet with your existing vNet’s you can RDP over the private IP. 

 

However if you want to RDP externally to a public IP, simply create a public IP and associate it to one of the newly created domain controllers. The following microsoft documentation explains how to create a public IP and associate it with a VM

 

Create Azure public IP address: https://docs.microsoft.com/en-us/azure/virtual-network/create-public-ip-portal?tabs=option-create-public-ip-standard-zones

 

Associate public IP to VM: https://docs.microsoft.com/en-us/azure/virtual-network/associate-public-ip-address-vm#azure-portal

Active Directory Firewall Ports

 

In order for your domain controllers to communicate with other domain controllers in your Active Directory, you will need to make sure the following firewall ports are open between domain controllers in your cloud environment or on premises domain if you have a hybrid setup:

 

  • RPC endpoint mapper: port 135 TCP, UDP
  • NetBIOS name service: port 137 TCP, UDP
  • NetBIOS datagram service: port 138 UDP
  • NetBIOS session service: port 139 TCP
  • SMB over IP (Microsoft-DS): port 445 TCP, UDP
  • LDAP: port 389 TCP, UDP
  • LDAP over SSL: port 636 TCP
  • Global catalog LDAP: port 3268 TCP
  • Global catalog LDAP over SSL: port 3269 TCP
  • Kerberos: port 88 TCP, UDP
  • DNS: port 53 TCP, UDP

 

If you are using an Azure Network Security Group,  To setup Azure firewall rules refer to – Azure Network Security Groups

Support

 

If you experience any issues with this deployment solution, please contact us and we will be happy to assist

Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

No Comments

Post a Comment

Comment
Name
Email
Website