How to Setup a New Active Directory 2016 or 2019 Forest/Domain in Azure/AWS/GCP IaaS
The best way to setup Active Directory is to use our marketplace image in any of the cloud marketplaces (Azure, AWS, Google GCP). Use our image to deploy a new Active Directory 2016 or 2019 Forest/Domain in Azure, AWS or Google. Easily setup a new Active Directory forest or add domain controllers to your existing domain.
Connect to Newly Create Virtual Machine
Once you’ve deployed the Active Directory 2016 or 2019 domain controller to your cloud environment, you now need to RDP to the virtual machine to start the installation steps. Refer to the either of the following guides on how to RDP depending on which cloud marketplace you are using:
- How to RDP to AWS Windows Instance
- How to RDP to Google GCP Windows Instance
- How to RDP to Azure Windows Virtual Machine
Set static IP Address
Once logged in, It is recommended to set your domain controller virtual machine with a static IP address.
Once Active directory is setup on this server, it is also going to act as DNS server. Therefore you will need to change the DNS settings on the network interface and set the server IP address (or local host IP 127.0.0.1) as the primary DNS server.
To get your IP information, open up a command prompt or powershell window and run the following command “Ipconfig /all“
Here you will find your IP Adress, Subnet mask and default gateway. Add this information to your NIC properties. (in my screenshow above, in this demo im using a different VM so my output is slightly different to what i will be using on my DC NIC properties below)
- Right-click the network icon in the bottom right of the Task Bar and select Open Network and Sharing Center from the menu.
- In the Network and Sharing Center, click Change adapter settings.
- On the Network Connections screen, right-click the network adapter for which you want to change the IP address and select
- Select Internet Protocal Version 4 (TCP/IPV4) and click Properties
- Fill in your private IPV4 ip address, subnet mask, default gateway.
- Fill in the preferred DNS server as (127.0.0.1) which is known as your local host IP.
- The alternate DNS server address will be the IP address of another domain controller you have in your forest. If you don’t have any setup yet, you can leave this blank and update later if you are going to setup other domain controllers.
Active Directory Installation Steps
Open up Server Manager and click on the yellow notification and select promote this server to a domain controller
This will start the active directory configuration wizard. In my demo I am going to setup new forest. But if you adding this to an existing domain you can choose the relevant option. Select the option to add new forest and type FQDN for the domain. Then click next.
On the next page you can select the domain and forest functional levels. I am going to set it up with latest (2016). This is the same for 2019. Then type a password for DSRM. Then click next
For the DNS options, this going to be the first DNS server in new forest. So no need any modifications. Click next to proceed.
For the NETBIOS name keep the default and click next
Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep default or define different path for these. In this demo I will be keeping the default paths. Once changes are done, click next to continue
On the next page it will give you the option to review the configuration changes. If everything looks ok you can click next to proceed or otherwise can go back and change the settings.
On the next window it will do a prerequisite check. If it passes, it will enable the option to install. Click on install to begin the installation process.
Then it will start the installation process of promoting this server to a Windows domain controller
After the AD installation, The server will restart automatically. Once it comes back online, log in to the server as domain administrator.
Once logged in, open powershell (as administrator) and type dsac.exe and press enter. It will open up the active directory administrative center. Here you can start managing the domain resources.
Also you can use Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode from powershell to confirm the domain and forest functional levels
Active Directory Firewall Ports
In order for your domain controllers to communicate with other domain controllers in your Active Directory, you will need to make sure the following firewall ports are open between domain controllers in your cloud environment or on premises domain if you have a hybrid setup:
- RPC endpoint mapper: port 135 TCP, UDP
- NetBIOS name service: port 137 TCP, UDP
- NetBIOS datagram service: port 138 UDP
- NetBIOS session service: port 139 TCP
- SMB over IP (Microsoft-DS): port 445 TCP, UDP
- LDAP: port 389 TCP, UDP
- LDAP over SSL: port 636 TCP
- Global catalog LDAP: port 3268 TCP
- Global catalog LDAP over SSL: port 3269 TCP
- Kerberos: port 88 TCP, UDP
- DNS: port 53 TCP, UDP
To setup AWS firewall rules refer to – AWS Security Groups
To setup Azure firewall rules refer to – Azure Network Security Groups
To setup Google GCP firewall rules refer to – Creating GCP Firewalls
If you have any questions about the setup of Active Directory in Azure, AWS or Google GCP using our domain controller image leave your comments below and we will reply within 24 hours.