Table of Contents
- Configure Networking
- Server Configuration
- Install Active Directory Domain Services
- Configure Active Directory
Unless you're running large enterprise applications like Exchange or have thousands of users your resource allocations for your domain controllers can remain relatively light. ProfitBricks allows you to incrementally increase core and memory on an as needed basis. You should be generous with storage and use the default value of 50 GB. This is what we're doing in our tutorial.
Here's how we've configured our environment:
| Setting | Value | API Property | |---|---|---| | Name | ADxx | | | Cores | 1 | | | RAM in GB | 2 | | | Storage Volume | 50 GB | |
You'll want to ensure each instance is configured for a different availability zone. This provides some level of redundancy for the domain and is general best practice.
In our example, we have created three assemblies with two dedicated to Active Directory and the other acting as an RDP proxy into our environment. Eventually you will want to move the domain controllers to be behind a firewall solution so they do not have a direct interface to the public Internet, yet egress traffic can still reach external services such as time and updates. I hope to cover that in a future article.
We connect the three instances together on a private, internal network, then connect them up to the public Internet.
You will want to do the following for both domain controllers before installing and configuring Active Directory Services.
Connect to the first sever using RDP.
Once you're on the domain controller bring up the list of network interfaces on your host. You should have two.
You can use
ipconfigto determine which interface is the private and which is the public. You'll be updating the properties of both.
I always like to rename the interfaces to
privateso go ahead and do that now.
Bring up the IPv4 properties for the private interface. We need to set a static IP and netmask. Since this is our future domain controller leave the DNS values blank for now.
Set the IP address to a static address. In our case we use 10.10.10.50 for the first DC and 10.10.10.51 for the second DC.
Leave the DNS server values blank. The AD DS installation process will set it to 127.0.0.1. The properties should look similar to this.
Click out of the dialogue, saving the settings. Once you have your second instance setup you should be able to ping one from the other without issue.
Bring up the
publicinterface and click on the Advanced button.
Go to the DNS tab and uncheck "Register this connection's addresses in DNS". This will pay dividends when you install your first domain controller -- you don't want the public interface being handed out to other domain controllers or clients.
Click OK and save the settings.
You will need to ensure your hostname reflects what you would like your domain controllers to be named. You can use the hostname command to print your current hostname to the console.
If you need to, go ahead and rename your machine using PowerShell:
Rename-Computer -NewName AD01 -Restart
The restart switch tells the machine to reboot once the rename completes.
Install Active Directory Domain Services
Windows 2012 introduces a rather major change to how you promote a domain controller: Microsoft has deprecated dcpromo.exe which is what most of us used when setting up domain controllers in the past. Setting up a domain is not broken into two distinct pieces: 1) installing the role; 2) configuring the role.
You can setup the Active Directory Domain Services through the Server Manager dashboard or through PowerShell. Since we like automation we'll focus on PowerShell in these next few sections.
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
You also need to be aware that the role installation and configuration process adheres to current best practices. This means services like DNS and the Global Catalogue are installed on each domain controller.
If you were using Server Manager, you would choose the Active Directory Domain Services role from the list of roles.
Configure Active Directory
You now need to configure your domain controller. Again, like installation this can be done via the Server Manager or through PowerShell. Configuration steps will vary depending on if you are setting up your first domain controller or a replica.
Configuring a New Forest
Run the following command to setup your new forest. Replace the domain with your own.
Install-ADDSForest –DomainName "yourdomain.local" -DomainMode Win2012R2 -ForestMode Win2012R2
When you execute the above you will go through a brief set of questions, e.g. safe mode password. After completion the machine will be promoted as a domain controller, the forest will be created, and so on. You may see some warnings. Read these, but in general they are informational warnings about various policy settings or we will be addressing them below. Your server will automatically reboot after promotion.
DNS is automatically installed by default when you run Install-ADDSForest. If you do not use AD DNS then you can pass \$false to the -InstallDNS switch, i.e. -InstallDNS:\$false.
You can make this more complex by storing your AD DB, SYSVOL, and logs on separate volumes. In general, the domain controller will load the AD DB into memory if it will fit so the amount of writes to disk will not be too aggressive for most installations; however, again, if you're using applications that make heavy use of Active Directory then you will need to think about volume topology and instance resource allocation. Microsoft has some good tools for properly sizing various architectures.
Let's pause here to do some DNS configuration on the first domain controller. Log onto the host.
Load the snap-in for DNS.
Right click on your first domain controller and select properties.
Within the Interfaces tab ensure it looks similar to this. You only want it listening on the private network.
- Click the Forwarders tab and ensure there are valid DNS servers listed. We're using Google's DNS.
Configuring Replica Domain Controllers
Now that your first domain controller is setup pause and make some changes to the networking on the replica (your second domain controller).
Bring up the properties of the public interface and adjust the DNS servers so there are only two and are the IPs of your two domain controllers.
Bring up the properties of the private interface and adjust the DNS servers so there are only two and are the IPs of your two domain controllers.
First, validate you can resolve the domain do:
This should respond with the private IPs of the domain controllers. There should only be one: the one you just installed. Validate that there are no public IPs in the response data as this could cause issues when adding the second domain controller.
Since this is your second domain controller you will need to use the following command to join it to the existing forest as a replica. Be sure you installed AD DS before running the below or PowerShell will throw a command not found exception.
Install-ADDSDomainController -DomainName "yourdomain.local" -Credential (Get-Credential)
An credential dialogue will come up. Use the credentials for the domain administrator. When the process completes the system will be rebooted and you now have your second domain controller.
Since you are running a virtualized domain controller you will want to ensure the time service is synchronizing with an external time source. This can be done by doing:
w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com pool.ntp.org" w32tm /config /update w32tm /resync
This helps protect you from time drift on the domain.
You should now have a basic Active Directory domain running within your ProfitBricks environment.