How to Setup Active Directory Cloud Domain on Azure/AWS/GCP
The best way to setup and install Active Directory AD in the cloud on Azure, AWS or Google GCP is to use our Domain Controller image from the cloud marketplace. Use our image to deploy a new Active Directory Domain/forest in Azure, AWS or GCP. Easily setup a new Active Directory forest or add domain controllers to your existing domain. Perfect solution to either setup a hybrid AD environment or cloud only AD. Sync IaaS domain controller VMs in the cloud and on prem or provide Active Directory authentication to users, servers and applications running in the cloud.
Setup Active Directory in the Cloud
Active Directory in Azure
Active Directory in AWS
Active Directory in GCP
Active Directory Cloud Benefits
- The perfect solution for providing Active Directory domain services to your servers in Azure, AWS and Google GCP.
- Enable Hybrid Active Directory using existing AD with your Azure tenant, AWS or GCP.
- Provide Group Polices to your servers in the cloud.
- Provide AD authentication services to your applications.
- Extend onprem Active Directory into Azure, AWS and GCP. Replicate onprem domain controllers to new DC’s servers in Azure, AWS or GCP.
- Provide DNS name resolution to your servers & applications in the cloud.
Table of Contents
Setup Active Directory Domain Services
Once you’ve deployed domain controllers into the cloud, you now need to perform the following steps to either create a new domain or add these domain controllers to your existing domain.
Connect to Cloud Domain Controllers
Once you’ve deployed the Active Directory 2016 or 2019 domain controller to your cloud environment, you now need to RDP to the virtual machine to start the installation steps. Refer to the either of the following guides on how to RDP depending on which cloud marketplace you are using:
Set static IP Address
Once logged in, it is recommended to set your domain controller virtual machine with a static IP address.
Once Active directory is setup on this server, it is also going to act as DNS server. Therefore you will need to change the DNS settings on the network interface and set the server IP address (or local host IP 127.0.0.1) as the primary DNS server.
To get your IP information, open up a command prompt or powershell window and run the following command:
“Ipconfig /all“
Here you will find your IP Adress, Subnet mask and default gateway. Add this information to your NIC properties. (in the screenshot above, in this demo, we are using a different VM so the output is slightly different to what we will be using on my DC NIC properties below).
- Right-click the network icon in the bottom right of the Task Bar and select Open Network and Sharing Center from the menu.
- In the Network and Sharing Center, click Change adapter settings.
- On the Network Connections screen, right-click the network adapter for which you want to change the IP address and select
- Select Internet Protocal Version 4 (TCP/IPV4) and click Properties
- Fill in your private IPV4 ip address, subnet mask, default gateway.
- Fill in the preferred DNS server as (127.0.0.1) which is known as your local host IP.
- The alternate DNS server address will be the IP address of another domain controller you have in your forest. If you don’t have any setup yet, you can leave this blank and update later if you are going to setup other domain controllers.
Active Directory Installation Steps
Open up Server Manager and click on the yellow notification and select promote this server to a domain controller.
Deployment Configuration (Add a new forest / Add to existing domain)
This will start the active directory configuration wizard. In my demo I am going to setup new forest. But if you adding this to an existing domain you can choose the relevant option. Select the option to add new forest and type FQDN for the domain. Then click next.
Domain / Forest Functional Levels
On the next page you can select the domain and forest functional levels. I am going to set it up with latest (Windows Server 2016). This is the same for Active Directory on Windows Server 2019 or 2022. Then type a password for DSRM. Then click next.
DNS Delegation
For the DNS options, this going to be the first DNS server in new forest. So no need any modifications. Click next to proceed.
Also Checkout
NetBIOS Domain Name
For the NETBIOS name keep the default and click next .
AD DS Database, Log Files, SYSVOL Paths
Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep default or define different path for these. In this demo I will be keeping the default paths. Once changes are done, click next to continue.
Review Active Directory Configuration Changes
On the next page it will give you the option to review the configuration changes. If everything looks ok you can click next to proceed or otherwise can go back and change the settings.
Active Directory Prerequisites Check
On the next window it will do a prerequisite check. If it passes, it will enable the option to install. Click on install to begin the installation process.
Then it will start the installation process of promoting this server to a Windows domain controller
Login to Domain Controller as Domain Administrator
After the AD installation, The server will restart automatically. Once it comes back online, log in to the server as domain administrator.
Active Directory Administrative Center
Once logged in, open powershell (as administrator) and type:
dsac.exe
Press enter. It will open up the active directory administrative center. Here you can start managing the domain resources.
Navigate to Active Directory Administrative Center , click Overview:
Also you can use Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode from powershell to confirm the domain and forest functional levels.
Test Active Directory Replication
If you have deployed multiple domain controllers (highly recommended). Next is to make sure you domain controller replication is working correctly. You can use Microsoft powershell commands (Repadmin) to check. Or alternatively checkout our Active Directory Reporting Tool
Problems with replication can cause authentication failures and issues accessing network resources (files, printers, applications, servers, etc).
Repadmin is an Active Directory diagnostic tool to check for replication of domain controllers, replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest.
Run the following command to list all available repadmin commands:
repadmin /?
Which you should receive the following output:
Usage: repadmin [/u:{domain\user}] [/pw:{password|*}]
[/retry[:][:]]
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use in repadmin and their
description.
/help Same as /?
/?: Displays the list of possible arguments , appropriate
syntaxes and examples for the specified command .
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced users only.
/listhelp Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.
Supported commands (use /? for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.
/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.
/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.
/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.
/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.
/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered with the /u
parameter.
/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"
/csv Used with /showrepl to output results in comma separated
value format. See /csvhelp
Repadmin.exe has lots of commands, lets take a look at the most popular and useful commands:
- /syncall – used to synchronize a certain DC with others
- /prp – if you have a Password Replication Policy (PRP), this command helps to manage it
- /queue – Shows the current queue of replication
- /replicate – this command helps to perform replication from one DC to another
- /replsingleobj – This command is handy if you need to replicate only one certain object between DCs
- /replsummary – Shows a report of a current state of replication and health in AD
- /showattr – is used when you need to see object attributes
- /showbackup – this setting displays the last backup time
- /showrepl – If you need to know current replication status use this one
Repadmin - Summarise Domain Controller Replication Health
The following command will give you and overview of your Active Directory replication health between domain controllers. This command will show you the percentage of replication attempts that have failed as the largets replication deltas.
repadmin /replsummary
The output is something like this if successful:
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
DC1 52m:48s 0 / 5 0
DC2 52m:46s 0 / 5 0
Destination DSA largest delta fails/total %% error
DC1 52m:46s 0 / 5 0
DC2 52m:48s 0 / 5 0
Repadmin - Get Replication Partner Status
To drill down and get the replication partner replication status of each domain controller, we can run the following command. This helps you to understand the role of each DC in the replication process. This command also displays the GUID of each object that was replicated, which is helpful to identify which objects are failing.
repadmin /showrepl
And the status results should look something like this:
Repadmin: running command /showrepl against full DC dc1.ad.cloudinfrastructureservices.co.uk
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72
==== INBOUND NEIGHBORS ======================================
DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2021-12-09 03:52:08 was successful.
CN=Configuration,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2021-12-09 03:52:08 was successful.
CN=Schema,CN=Configuration,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2021-12-09 03:52:08 was successful.
DC=DomainDnsZones,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2021-12-09 03:52:08 was successful.
DC=ForestDnsZones,DC=ad,DC=cloudinfrastructureservices,DC=co,DC=uk
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2021-12-09 03:52:08 was successful.
Active Directory Cloud Firewall Ports
In order for your domain controllers to communicate with other domain controllers in your Active Directory, you will need to make sure the following firewall ports are open between domain controllers in your cloud environment or on premises domain if you have a hybrid setup:
- RPC endpoint mapper: port 135 TCP, UDP
- NetBIOS name service: port 137 TCP, UDP
- NetBIOS datagram service: port 138 UDP
- NetBIOS session service: port 139 TCP
- SMB over IP (Microsoft-DS): port 445 TCP, UDP
- LDAP: port 389 TCP, UDP
- LDAP over SSL: port 636 TCP
- Global catalog LDAP: port 3268 TCP
- Global catalog LDAP over SSL: port 3269 TCP
- Kerberos: port 88 TCP, UDP
- DNS: port 53 TCP, UDP
To setup AWS firewall rules refer to – AWS Security Groups
To setup Azure firewall rules refer to – Azure Network Security Groups
To setup Google GCP firewall rules refer to – Creating GCP Firewalls
Active Directory Cloud Support
If you have any questions about the setup of Active Directory in Azure, AWS or Google GCP using our domain controller image leave your comments below and we will reply within 24 hours.
