Home Lab Secrets: Building the Killer Home Lab Part 2 (Deploying Active Directory between Azure and On-Premise)


In Part 1 of my Home Lab Secrets Series we established a VPN between Azure and our On-Premise Network.  In Part 2 of this series we will configure our Azure VM and On-Premise VM as Domain Controllers and establish 2 Active Directory Sites that will give us a Multi-Site Deployment.

This article assumes that you have already deployed your On-Premise VM and Azure VM that will be used as Domain Controllers as well as established a VPN between On-Premise and Azure.  Let’s get started!!!

Renaming our Domain Controllers

In Part 1 of Building the Killer Home Lab, we IP’d both of our servers, but didn’t rename them.  Since this is a network that will be built upon, let's give our Servers some names with meaning.  Using the steps below rename our On-Premise VM:

 

  1. Log onto your On-Premise Server.
  2. Right-click on the Windows Logo and click on System.
  3. Under Computer name, domain and workgroup settings click on Change settings.
  4. At the pop-up screen click on Change.
  5. Under Computer name: enter OP-DC then click OK, OK, OK then click Yes to restart.

 

Installing Active Directory Domain Service Binaries

Unlike previous versions of Active Directory.  To promote a server to a Domain Controller we must first install the Active Directory Domain Services Binaries.  This can be done following the steps below:

  1. Log onto OP-DC.
  2. From the taskbar click on Server Manager.
  3. Under the Configure this local server section click on Add roles and features.
  4. At the Before you begin screen click Next.
  5. At the Select installation type screen click Next.
  6. At the Select destination server screen click Next.
  7. At the Select server roles screen select Active Directory Domain Services then click Next at the Add features… pop-up click Add Features then Next.
  8. At the Select features screen click Next.
  9. At the Active Directory Domain Services screen click Next.
  10. At the Confirm installation selections screen click Install.
  11. When setup completes click Close.

Deploying our On-Premise Domain Controller

  1. In the Right-Pane click on the Yellow Caution Sign then click Promote this server to a domain controller.
  2. At the Deployment Configuration screen under the Select the deployment operation section select Add a new forest.
  3. Under the Specify the domain information for this operation section enter killerhomelab.com for the Root domain name then click Next.
  4. At the Domain Controller Options screen enter a password under the Type the Directory Services Restore Mode (DSRM) password section then click Next.
  5. At the DNS Options screen click Next.
  6. At the Additional Options screen click Next.
  7. At the Paths screen click Next.
  8. At the Review Options screen click Next.
  9. At the Prerequisites Check screen click Install.
  10. When setup completes Reboot the Server.

Configuring Preferred DNS Server

  1. Log onto OP-DC.
  2. On the right side of the Taskbar right-click the Network Connection and select Open Network and Sharing Center.
  3. In the right-pane click on Change adapter settings.
  4. Right-click Ethernet and select Properties.
  5. Highlight Internet Protocol Version 6 (TCP/Ipv6) then click the Properties button.
  6. Select Obtain DNS Server address automatically then click OK.
  7. Highlight Internet Protocol Version 4 (TCP/IPv4) then click the Properties button.
  8. Select Use the following DNS server addresses then enter the following:Preferred DNS server:192.168.1.2 
  9. Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window.
  10. Click Close to close the Ethernet Properties window then close the Network Connections window.

 

Configuring DNS Zones

  1. From within Server Manager click on Tools and select DNS.
  2. In the Left-Pane expand DNS | OP-DC then right-click Reverse Lookup Zones and select New Zone…
  3. At the Welcome to the New Zone Wizard click Next.
  4. At the Zone Type screen click Next.
  5. At the Active Directory Zone Replication Scope screen click Next.
  6. At the Reverse Lookup Zone Name screen click Next.
  7. At the 2nd Reverse Lookup Zone Name screen enter 192.168.1 under Network ID: then click Next.
  8. At the Dynamic Update screen click Next.
  9. At the Completing the New Zone Wizard click Finish.
  10. Using the steps above configure an additional Reverse Lookup Zones for the following subnets:

192.168.111.0/24

     11. Right-click the newly created zone and select New Pointer (PTR)…

12.  Click on the Browse button the double-click OP-DC | Forward Lookup Zones | killerhomelab.com then scroll down and select the OP-DC A Record and click OK, OK.

To verify our DNS Configuration let’s run an nslookup as shown below:


Creating Active Directory Sites

  1. From within Server Manager click on Tools and select Active Directory Sites and Services.
  2. In the Left-Pane right-click Sites and select New Site.
  3. At the New Object – Site screen under Name: enter Azure-KHL then select the DEFAULTIPSITELINK and click OK.
  4. At the Active Directory Domain Services pop-up click OK.
  5. In the Left-Pane right-click Sites and select New Site.
  6. At the New Object – Site screen under Name: enter OnPremise-Lab then select the DEFAULTIPSITELINK and click OK.
  7. At the Active Directory Domain Services pop-up click OK.
  8. In the Left-Pane right-click Subnets and select New Subnet.
  9. At the New Object – Subnet screen under Prefix: enter 192.168.1.0/24 then under Select a site object for this prefix select OnPremise-Lab and click OK.
  10. In the Left-Pane right-click Subnets and select New Subnet.
  11. At the New Object – Subnet screen under Prefix: enter 192.168.111.0/24 then under Select a site object for this prefix select Azure-KHL and click OK.

 

Moving a OP-DC to it’s new AD Site

  1. From within Server Manager click on Tools and select Active Directory Sites and Services.
  2. In the Left-Pane expand Default-First-Site-name | Servers then right-click OP-DC and select Move.
  3. At the Move Server pop-up select OnPremise-Lab then click OK.

 

Configuring your Azure VM

Let’s head to Azure now and by logging into the portal by accessing the URL listed below:

 

https://manage.windowsazure.com

 

Let’s start by defining your Azure VM’s DNS Server.  Azure VM’s get their DNS Servers defined in two possible ways.  The first which is the default is via DHCP.  The second and the option we will need to use since this VM will serve as a Domain Controller is by VIRTUAL NETWORK.  You’ll remember in Part 1 our this series we created a VIRTUAL NETWORK.  In addition to defining the VM’s subnet our VIRTUAL NETWORK will also define it’s DNS Server.  Since we are promoting this Domain Controller into an existing Forest, we will initially specify our On-Premise Domain Controller OP-DC as its initial IP.  Once it’s promotion is complete, replication has occurred successfully we will then change it back to itself.  Follow the steps below to define the On-Premise Domain Controller as the VPNLAB VIRTUAL NETWORK’s DNS Server.

 

  1. On the bottom bar click NEW.
  2. From the menu select NETWORK SERVICES | VIRTUAL NETWORK | REGISTER DNS and enter the following then click OK:

NAME:                                       OP-DC

DNS SERVER IP ADDRESS:  192.168.1.2

3.  Repeat the previous steps for KHL-DC:

 

NAME:                                                  KHL-DC

DNS SERVER IP ADDRESS:             192.168.111.4

4.  Under networks click on VIRTUAL NETWORKS then VPNLAB.

5.  Under vpnlab click on CONFIGURE.

6.  Under dns servers use the first pull-down menu and select OP-DC, on the second pull-down menu select KHL-DC then on the bottom-bar Save.

7.  At the Disrupt Connection warning pop-up click Yes.

8.  Click OK once the DNS Server is set.

 If your KHL-DC was started then you will need to reboot it, if not use the following steps to start it and it will pick up the new DNS Server Settings:

  1. On the Left-Pane click on VIRTUAL MACHINES.
  2. In the Middle-Pane highlight KHL-DC then on the Bottom-Bar click START.

 

Let’s connect to our Azure VM (KHL-DC) via remote desktop.  To do this follow the steps below:

 

  1. On the Left-Pane click on VIRTUAL MACHINES.
  2. In the Middle-Pane highlight KHL-DC then on the Bottom-Bar click CONNECT.
  3. At the download pop-up click Save | Save As.
  4. At the Save As pop-up enter KHL-DC under File name: then click Save.
  5. Navigate to the file and double-click on KHL-DC.
  6. At the Remote Desktop Connection pop-up click Connect.
  7. At the Windows Security screen enter your credentials.
  8. At the Untrusted Certificate pop-up click Yes.

Once we are logged into KHL-DC we need to verity that it is using OP-DC as its DNS Server.  We can do that by running an NSLookup as shown below:

Now that we know we are correctly pointed to OP-DC lets promote KHL-DC as our 1st Domain Controller in our Azure AD Site.  As mentioned earlier in the article, in order to promote a 2012 R2 server to a Domain Controller we must first install the Active Directory Domain Services Binaries.  This can be done following the steps below:

  1. From the taskbar click on Server Manager.
  2. Under the Configure this local server section click on Add roles and features.
  3. At the Before you begin screen click Next.
  4. At the Select installation type screen click Next.
  5. At the Select destination server screen click Next.
  6. At the Select server roles screen select Active Directory Domain Services then at the Add feature pop-up click Add Features then Next.
  7. At the Select features screen click Next.
  8. At the Active Directory Domain Services screen click Next.
  9. At the Confirm installation selections screen click Install.
  10. When setup completes click Close.

 

Deploying our Azure Domain Controller

  1. In the Right-Pane click on the Yellow Caution Sign then click Promote this server to a domain controller.
  2. At the Deployment Configuration screen under the Select the deployment operation make sure Add a domain controller to an existing domain is selected.
  3. Under the Specify the domain information for this operation section enter killerhomelab.com for the Domain name.
  4. Under the Supply the credentials to perform this operation click Change.
  5. At the Credentials for deployment operation enter the credentials that were used to run the promotion on OP-DC then click OK, then Next.***Note:  Make sure the format is DOMAIN\Account (Ex: KILLERHOMELAB\khl-adminAs you can see on the next screen the Site name: has already been selected for us.  This is because the server is Site Aware.  Site Awareness allows a server to determine which AD Site it is a part of based on its IP subnet.  Since we associated the 192.168.111.0/24 subnet to the Azure-KHL AD Site earlier it the article, the server has already chosen its Site Name.

6.  At the Domain Controller Options screen enter a password under the Type the Directory Services Restore Mode (DSRM) password section then click Next.

7.  At the DNS Options screen click Next.

8.  At the Additional Options screen click Next.

9.  At the Paths screen click Next.

10. At the Review Options screen click Next.

11. At the Prerequisites Check screen click Install.

12. When setup completes Reboot the Server.

 

Once KHL-DC completes its reboot it is now a Domain Controller within the killerhomelab.com Domain.  Even though it has successfully been promoted, we must wait until it has completed replication before continuing.

 

Next we will make another tweak to the KHL-DC and that will be to its IPv6 DNS Server SettingSince we will not be configuring IPv6 in our lab, we will remove the IPv6 loopback entry from our IPv6 DNS Settings.

  1. Log onto KHL-DC.
  2. On the right side of the Taskbar right-click the Network Connection and select Open Network and Sharing Center.
  3. In the right-pane click on Change adapter settings.
  4. Right-click Ethernet and select Properties.
  5. Highlight Internet Protocol Version 6 (TCP/Ipv6) then click the Properties button.
  6. Select Obtain DNS Server address automatically then click OK.

Finally, we will be making one last change to our DNS Server settings on OP-DC.  We will be setting its DNS Server settings to point to KHL-DC for its Primary DNS and itself for Alternate DNS.

 

  1. Log onto OP-DC.
  2. On the right side of the Taskbar right-click the Network Connection and select Open Network and Sharing Center.
  3. In the right-pane click on Change adapter settings.
  4. Right-click Ethernet and select Properties.
  5. Highlight Internet Protocol Version 4 (TCP/IPv4) then click the Properties button.
  6. Under Use the following DNS server addresses: enter the following:

Preferred DNS Server:                   192.168.1.2

Alternate DNS Server:                    192.168.111.4

 

Now that we have both of our Domain Controllers up and running, let’s make sure that they are replicating correctly.  We will do this by creating a test account on OP-DC and then forcing its replication to the KHL-DC.  Let’s start by creating the account.

 

  1. From within Server Manager click on Tools and select Active Directory Users and Computers.
  2. Leave your existing ADUC (Active Directory Users and Computers) open then from within Server Manager click on Tools and select Active Directory Users and Computers to open a 2nd ADUC window.
  3. In the 2nd window from the Left-pane right-click Active Directory Users and Computers [OP-DC.killerhomelab.com] then select Change Domain Controller.

4.  At the Change Directory Server pop-up select KHL-DC.killerhomelab.com then click OK.

5.  From within Server Manager click on Tools and select Active Directory Sites and Services.

6.  Arrange the 2 ADUC windows and 1 Active Directory Sites and Services window as shown below:

7.  From the OP-DC ADUC instance within the Left-Pane expand killerhomelab.com then right-click Users and select New | User.

8.  At the New Object – User screen enter the following then click Next:

First name:                 KHL

Last name:                  User1

Full name:                   KHL User1

User logon name:       KHLUser1

9.  At the password screen enter the following then click Next, then Finish:

 

Password:                                   P@$$w0rd1

Confirm password:                      P@$$w0rd1

 

At this point we have created our account on OP-DC but it has not been replicated over to KHL-DC.  Let’s switch to the KHL-DC ADUC Instance and verify the account does not exist yet.

  1. From the KHL-DC ADUC instance within the Left-Pane expand killerhomelab.com then right-click Users and select Refresh.

 

As shown above you can see that KHLUser1 exists on OP-DC but has not been replicated to KHL-DC.  To force replication we will be using the Active Directory Sites and Services console which we opened earlier.  Follow the steps below to force the replication of the KHLUser1 object from OP-DC to KHL-DC.

  1. Switch to the Active Directory Sites and Services window then within the Left-Pane expand Sites | Azure-KHL | Servers | KHL-DC then select NTDS Settings.
  2. In the Right-Pane right-click the <automatically generated> connection object to OP-DC and select Replicate.

3.  At the Replicate Now pop-up click OK.

4.  From the KHL-DC ADUC instance within the Left-Pane expand killerhomelab.com then right-click Users and select Refresh.

As you can see our user KHLUser1 has successfully been replicated.  You have now deployed a Multi-Site Active Directory Infrastructure!!!  This completes Part 2 of the Killer Home Lab Series.  In Part 3 we will be deploying a PKI Infrastructure within our lab using Microsoft Active Directory Certificate Services. Have fun with the lab!!!

 

Thanks,

Elliott

Comments (0)

Skip to main content