How to Setup Active Directory Cloud Domain on Azure/AWS/GCP

The best way to setup and install Active Directory AD in the cloud on Azure, AWS or Google GCP is to use our Domain Controller image from the cloud marketplace. Use our image to deploy a new Active Directory Domain/forest in Azure, AWS or GCP.  Easily setup a new Active Directory forest or add domain controllers to your existing domain.  Perfect solution to either setup a hybrid AD environment or cloud only AD. Sync IaaS domain controller VMs in the cloud and on prem or provide Active Directory authentication to users, servers and applications running in the cloud.

Setup Active Directory in the Cloud

Active Directory Cloud Benefits

  • The perfect solution for providing Active Directory domain services to your servers in Azure, AWS and Google GCP.
  • Enable Hybrid Active Directory using existing AD with your Azure tenant, AWS or GCP.
  • Provide Group Polices to your servers in the cloud.
  • Provide AD authentication services to your applications.
  • Extend onprem Active Directory into Azure, AWS and GCP.  Replicate onprem domain controllers to new DC’s servers in Azure, AWS or GCP.
  • Provide DNS name resolution to your servers & applications in the cloud.

Table of Contents

Setup Active Directory Domain Services

Once you’ve deployed domain controllers into the cloud, you now need to perform the following steps to either create a new domain or add these domain controllers to your existing domain.

Connect to Cloud Domain Controllers

Once you’ve deployed the Active Directory 2016 or 2019 domain controller to your cloud environment, you now need to RDP to the virtual machine to start the installation steps. Refer to the either of the following guides on how to RDP depending on which cloud marketplace you are using:

 

Set static IP Address

Once logged in, it is recommended to set your domain controller virtual machine with a static IP address. 

 

Once Active directory is setup on this server, it is also going to act as DNS server. Therefore you will need to change the DNS settings on the network interface and set the server IP address (or local host IP 127.0.0.1) as the primary DNS server.

 

To get your IP information, open up a command prompt or powershell window and run the following command:

				
					“Ipconfig /all“
				
			

Here you will find your IP Adress, Subnet mask and default gateway. Add this information to your NIC properties. (in the screenshot above, in this demo, we are using a different VM so the output is slightly different to what we will be using on my DC NIC properties below).

 

  1. Right-click the network icon in the bottom right of the Task Bar and select Open Network and Sharing Center from the menu.
  2. In the Network and Sharing Center, click Change adapter settings.
  3. On the Network Connections screen, right-click the network adapter for which you want to change the IP address and select
  4. Select Internet Protocal Version 4 (TCP/IPV4) and click Properties
  5. Fill in your private IPV4 ip address, subnet mask, default gateway.
  6. Fill in the preferred DNS server as (127.0.0.1) which is known as your local host IP.
  7. The alternate DNS server address will be the IP address of another domain controller you have in your forest. If you don’t have any setup yet, you can leave this blank and update later if you are going to setup other domain controllers.

Active Directory Installation Steps

Open up Server Manager and click on the yellow notification and select promote this server to a domain controller.

Deployment Configuration (Add a new forest / Add to existing domain)

This will start the active directory configuration wizard. In my demo I am going to setup new forest. But if you adding this to an existing domain you can choose the relevant option.  Select the option to add new forest and type FQDN for the domain. Then click next.

Domain / Forest Functional Levels

On the next page you can select the domain and forest functional levels. I am going to set it up with latest (Windows Server 2016). This is the same for Active Directory on Windows Server 2019 or 2022.  Then type a password for DSRM. Then click next.

DNS Delegation

For the DNS options, this going to be the first DNS server in new forest. So no need any modifications. Click next to proceed.

NetBIOS Domain Name

For the NETBIOS name keep the default and click next .

AD DS Database, Log Files, SYSVOL Paths

Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep default or define different path for these. In this demo I will be keeping the default paths. Once changes are done, click next to continue.

Review Active Directory Configuration Changes

On the next page it will give you the option to review the configuration changes. If everything looks ok you can click next to proceed or otherwise can go back and change the settings.

Active Directory Prerequisites Check

On the next window it will do a prerequisite check. If it passes, it will enable the option to install. Click on install to begin the installation process.

Then it will start the installation process of promoting this server to a Windows domain controller

Login to Domain Controller as Domain Administrator

After the AD installation, The server will restart automatically. Once it comes back online, log in to the server as domain administrator.

Active Directory Administrative Center

Once logged in, open powershell (as administrator) and type:

				
					dsac.exe
				
			

Press enter. It will open up the active directory administrative center. Here you can start managing the domain resources.

Navigate to Active Directory Administrative Center , click Overview: 

Also you can use Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode from powershell to confirm the domain and forest functional levels.

Test Active Directory Replication

If you have deployed multiple domain controllers (highly recommended).  Next is to make sure you domain controller replication is working correctly.  You can use Microsoft powershell commands (Repadmin) to check.  Or alternatively checkout our Active Directory Reporting Tool

 

Problems with replication can cause authentication failures and issues accessing network resources (files, printers, applications, servers, etc).

 

Repadmin is an Active Directory diagnostic tool to check for replication of domain controllers, replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest.

 

Run the following command to list all available repadmin commands:

				
					repadmin /?
				
			

Which you should receive the following output:

				
					Usage: repadmin   [/u:{domain\user}] [/pw:{password|*}]
                             [/retry[:][:]]
                             [/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
            description.
/help       Same as /?
/?:    Displays the list of possible arguments , appropriate
            syntaxes and examples for the specified command .
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
            DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
            are no longer supported by Microsoft.


Supported  commands (use /? for detailed help):
     /kcc    Forces the KCC on targeted domain controller(s) to immediately
             recalculate its inbound replication topology.

     /prp    This command allows an admin to view or modify the
             password replication policy for RODCs.

     /queue  Displays inbound replication requests that the  DC needs to issue
             to become consistent with its source replication partners.

     /replicate  Triggers the immediate replication of the specified directory
             partition to the destination domain controller from the source DC.

     /replsingleobj Replicates a single object between any two domain
             controllers that have common directory partitions.

     /replsummary The replsummary operation quickly and concisely summarizes
             the replication state and relative health of a forest.

     /rodcpwdrepl Triggers replication of passwords for the specified user(s)
             from the source (Hub DC) to one or more Read Only DC's.

     /showattr Displays the attributes of an object.

     /showobjmeta Displays the replication metadata for a specified object
             stored in Active Directory, such as attribute ID, version
             number, originating and local Update Sequence Number (USN), and
             originating server's GUID and Date and Time stamp.

     /showrepl Displays the replication status when specified domain controller
             last attempted to inbound replicate Active Directory partitions.

     /showutdvec displays the highest committed Update Sequence Number (USN)
             that the targeted DC's copy of Active Directory shows as
             committed for itself and its transitive partners.

     /syncall Synchronizes a specified domain controller with all replication
              partners.

Supported additional parameters:

     /u:    Specifies the domain and user name separated by a backslash
            {domain\user} that has permissions to perform operations in
            Active Directory. UPN logons not supported.

     /pw:   Specifies the password for the user name entered with the /u
            parameter.

     /retry This parameter will cause repadmin to repeat its attempt to bind
            to the target dc should the first attempt fail with one of the
            following error status:

            1722 / 0x6ba : "The RPC Server is unavailable"
            1753 / 0x6d9 : "There are no more endpoints available from the
                            endpoint mapper"

     /csv   Used with /showrepl to output results in comma separated
            value format. See /csvhelp
				
			

Repadmin.exe has lots of commands, lets take a look at the most popular and useful commands:

 

  • /syncall – used to synchronize a certain DC with others
  • /prp – if you have a Password Replication Policy (PRP), this command helps to manage it
  • /queue – Shows the current queue of replication
  • /replicate – this command helps to perform replication from one DC to another
  • /replsingleobj – This command is handy if you need to replicate only one certain object between DCs
  • /replsummary – Shows a report of a current state of replication and health in AD
  • /showattr – is used when you need to see object attributes
  • /showbackup – this setting displays the last backup time
  • /showrepl – If you need to know current replication status use this one

Repadmin - Summarise Domain Controller Replication Health

The following command will give you and overview of your Active Directory replication health between domain controllers.  This command will show you the percentage of replication attempts that have failed as the largets replication deltas.

				
					repadmin /replsummary
				
			

The output is something like this if successful:

				
					Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 DC1                       52m:48s    0 /   5    0
 DC2                       52m:46s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 DC1                       52m:46s    0 /   5    0
 DC2                       52m:48s    0 /   5    0
				
			

Repadmin - Get Replication Partner Status

To drill down and get the replication partner replication status of each domain controller, we can run the following command.  This helps you to understand the role of each DC in the replication process.   This command also displays the GUID of each object that was replicated, which is helpful to identify which objects are failing.

				
					repadmin /showrepl
				
			

And the status results should look something like this:

				
					Repadmin: running command /showrepl against full DC dc1.ad.cloudinfrastructureservices.co.uk
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2021-12-09 03:52:08 was successful.

CN=Configuration,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2021-12-09 03:52:08 was successful.

CN=Schema,CN=Configuration,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2021-12-09 03:52:08 was successful.

DC=DomainDnsZones,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2021-12-09 03:52:08 was successful.

DC=ForestDnsZones,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2021-12-09 03:52:08 was successful.
				
			

Active Directory Cloud Firewall Ports

In order for your domain controllers to communicate with other domain controllers in your Active Directory, you will need to make sure the following firewall ports are open between domain controllers in your cloud environment or on premises domain if you have a hybrid setup:

 

  • RPC endpoint mapper: port 135 TCP, UDP
  • NetBIOS name service: port 137 TCP, UDP
  • NetBIOS datagram service: port 138 UDP
  • NetBIOS session service: port 139 TCP
  • SMB over IP (Microsoft-DS): port 445 TCP, UDP
  • LDAP: port 389 TCP, UDP
  • LDAP over SSL: port 636 TCP
  • Global catalog LDAP: port 3268 TCP
  • Global catalog LDAP over SSL: port 3269 TCP
  • Kerberos: port 88 TCP, UDP
  • DNS: port 53 TCP, UDP

 

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

Active Directory Cloud Support

If you have any questions about the setup of Active Directory in Azure, AWS or Google GCP using our domain controller image leave your comments below and we will reply within 24 hours.

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

5 1 vote
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x