Home Lab Secrets: Building the Killer Home Lab Part 2 (Deploying Active Directory between Azure and On-Premise)(New Azure Portal)


In Part 1 of my Home Lab Secrets Series we established a VPN between Azure and our On-Premise Network.  In Part 2 of this series we will configure our Azure VM and On-Premise VM as Domain Controllers and establish 2 Active Directory Sites that will give us a Multi-Site Deployment.

This article assumes that you have already deployed your On-Premise VM and Azure VM that will be used as Domain Controllers as well as established a VPN between On-Premise and Azure.  Let’s get started!!!

Renaming our Domain Controllers

In Part 1 of Building the Killer Home Lab, we IP’d both of our servers, but didn’t rename them.  Since this is a network that will be built upon, let's give our Servers some names with meaning.  Using the steps below rename our On-Premise VM:

 

  1. Log onto your On-Premise Server.
  2. Right-click on the Windows Logo and click on System.
  3. Under Computer name, domain and workgroup settings click on Change settings.
  4. At the pop-up screen click on Change.
  5. Under Computer name: enter OP-DC then click OK, OK, OK then click Yes to restart.

 

Installing Active Directory Domain Service Binaries

Unlike previous versions of Active Directory.  To promote a server to a Domain Controller we must first install the Active Directory Domain Services Binaries.  This can be done following the steps below:

  1. Log onto OP-DC.
  2. From the taskbar click on Server Manager.
  3. Under the Configure this local server section click on Add roles and features.
  4. At the Before you begin screen click Next.
  5. At the Select installation type screen click Next.
  6. At the Select destination server screen click Next.
  7. At the Select server roles screen select Active Directory Domain Services then at the Add features… pop-up click Add Features then Next.
  8. At the Select features screen click Next.
  9. At the Active Directory Domain Services screen click Next.
  10. At the Confirm installation selections screen click Install.
  11. When setup completes click Close.

Deploying our On-Premise Domain Controller

  1. In the Right-Pane click on the Yellow Caution Sign then click Promote this server to a domain controller.
  2. At the Deployment Configuration screen under the Select the deployment operation section select Add a new forest.
  3. Under the Specify the domain information for this operation section enter killerhomelab.com for the Root domain name then click Next.
  4. At the Domain Controller Options screen enter a password under the Type the Directory Services Restore Mode (DSRM) password section then click Next.
  5. At the DNS Options screen click Next.
  6. At the Additional Options screen click Next.
  7. At the Paths screen click Next.
  8. At the Review Options screen click Next.
  9. At the Prerequisites Check screen click Install.
  10. When setup completes Reboot the Server.

Configuring Preferred DNS Server

  1. Log onto OP-DC.
  2. On the right side of the Taskbar right-click the Network Connection and select Open Network and Sharing Center.
  3. In the right-pane click on Change adapter settings.
  4. Right-click Ethernet and select Properties.
  5. Highlight Internet Protocol Version 6 (TCP/Ipv6) then click the Properties button.
  6. Select Obtain DNS Server address automatically then click OK.
  7. Highlight Internet Protocol Version 4 (TCP/IPv4) then click the Properties button.
  8. Select Use the following DNS server addresses then enter the following:Preferred DNS server:192.168.1.2
  9. Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window.
  10. Click Close to close the Ethernet Properties window then close the Network Connections window.

 

Configuring DNS Zones

  1. From within Server Manager click on Tools and select DNS.
  2. In the Left-Pane expand DNS | OP-DC | Reverse Lookup Zones then right-click Reverse Lookup Zones and select New Zone…
  3. At the Welcome to the New Zone Wizard click Next.
  4. At the Zone Type screen click Next.
  5. At the Active Directory Zone Replication Scope screen click Next.
  6. At the Reverse Lookup Zone Name screen click Next.
  7. At the 2nd Reverse Lookup Zone Name screen enter 192.168.1 under Network ID: then click Next.
  8. At the Dynamic Update screen click Next.
  9. At the Completing the New Zone Wizard click Finish.
  10. Using the steps above configure an additional Reverse Lookup Zones for the following subnets:

10.1.0

     11. Select then right-click the 1.168.192.in-addr-arpa zone and select New Pointer (PTR)…

12.  Click on the Browse button the double-click OP-DC | Forward Lookup Zones | killerhomelab.com then scroll down and select the OP-DC A Record and click OK, OK.

To verify our DNS Configuration let’s run an nslookup and verify it results are as shown below:

Default Server:   op-dc.killerhomelab.com

Address:    192.168.1.2

 

Creating/Configuring Active Directory Sites

  1. From within Server Manager click on Tools and select Active Directory Sites and Services.
  2. In the Left-Pane right-click Sites and select New Site.
  3. At the New Object – Site screen under Name: enter Azure-KHL then select the DEFAULTIPSITELINK and click OK.
  4. At the Active Directory Domain Services pop-up click OK.
  5. In the Left-Pane right-click Sites and select New Site.
  6. At the New Object – Site screen under Name: enter OnPremise-Lab then select the DEFAULTIPSITELINK and click OK.
  7. At the Active Directory Domain Services pop-up click OK.
  8. In the Left-Pane right-click Subnets and select New Subnet.
  9. At the New Object – Subnet screen under Prefix: enter 192.168.1.0/24 then under Select a site object for this prefix select OnPremise-Lab and click OK.
  10. In the Left-Pane right-click Subnets and select New Subnet.
  11. At the New Object – Subnet screen under Prefix: enter 10.1.0.0/16 then under Select a site object for this prefix select Azure-KHL and click OK.
  12. In the Left-Pane expand Inter-Site Transports and select IP then in the Right-Pane double-click DEFAULTIPSITELINK.
  13. At the DEFAULTIPSITELINK Properties window change the Replicate every setting from 180 to 15 minutes then click OK.

 default1stsitelink

Moving a OP-DC to it’s new AD Site

  1. From within Server Manager click on Tools and select Active Directory Sites and Services.
  2. In the Left-Pane expand Default-First-Site-name | Servers then right-click OP-DC and select Move.
  3. At the Move Server pop-up select OnPremise-Lab then click OK.

 

Configuring your Azure VM

Let’s head to Azure now and by logging into the portal by accessing the URL listed below:

 

https://portal.azure.com

 

Let’s start by defining your Azure VM’s DNS Server.  Azure VM’s get their DNS Servers defined in two possible ways.  The first which is the default is via DHCP.  The second and the option we will need to use since this VM will serve as a Domain Controller is by Virtual Network or Network Interface.  Since all of our VM's will share the same Virtual Network, it makes more sense to create the DNS Server at this level, however we want KHL-DC to point to OP-DC for it's DNS and vice versa.  In order to accomplish this we will change the DNS Servers on our KHL-Azure Virtual Network to point to OP-DC and the Network Interface on KHL-DC to point to OP-DC for its DNS Servers.  Don't worry about the fact that KHL-DC is apart of the KHL-Azure Virtual Network, since DNS Server settings set at the Network Interface level override DNS Server settings set at the Virtual Network level.  Follow the steps below to define the On-Premise Domain Controller as the KHL-Azure Virtual Network’s DNS Server as well as defining the DNS Server for KHL-DC by using it's Network Interface

Virtual Network DNS Servers

      1.  In the Left-Pane click on Resource Groups then select Killer-Home-Lab.

newazureportal37

2.  Under the Killer-Home-Lab Resource Group click on the KHL-Azure Virtual Network.

newazureportal38

3.  Under the KHL-Azure Virtual Network click on DNS servers.

newazureportal39

4.  At the KHL-Azure - DNS servers screen select Custom, enter 10.1.0.4 then click Save.

dnsservers2

KHL-DC Network Interface DNS Servers

  1.  In the Left-Pane click on Virtual Machines | KHL-DC.

newazureportal24

2.  Under KHL-DC click on Network interfaces.

khl-dc9

3.  At the KHL-DC - Network interfaces screen click on the Network Interface as shown below:

khl-dc10

  4.  At the KHL-dc703 - DNS servers screen select Custom, enter 192.168.1.2 then click Save.

dnsservers3

Once these changes are complete the KHL-DC will require a reboot.  (If not reboot manually).  When the reboot is complete we will need to connect to our Azure VM (KHL-DC) via remote desktop.  To do this follow the steps below:

  1. Navigate to the file under Downloads and double-click on KHL-DC.
  2. At the Remote Desktop Connection pop-up click Connect.
  3. At the Windows Security screen enter your credentials.
  4. At the Untrusted Certificate pop-up click Yes.

Once we are logged into KHL-DC we need to verity that it is using OP-DC as its DNS Server.  We can do that by running an NSLookup as shown below:

Now that we know we are correctly pointed to OP-DC lets promote KHL-DC as our 1st Domain Controller in our Azure AD Site.  As mentioned earlier in the article, in order to promote a 2012 R2 server to a Domain Controller we must first install the Active Directory Domain Services Binaries.  This can be done following the steps below:

  1. From the taskbar click on Server Manager.
  2. Under the Configure this local server section click on Add roles and features.
  3. At the Before you begin screen click Next.
  4. At the Select installation type screen click Next.
  5. At the Select destination server screen click Next.
  6. At the Select server roles screen select Active Directory Domain Services then at the Add feature pop-up click Add Features then Next.
  7. At the Select features screen click Next.
  8. At the Active Directory Domain Services screen click Next.
  9. At the Confirm installation selections screen click Install.
  10. When setup completes click Close.

 

Deploying our Azure Domain Controller

  1. In the Right-Pane click on the Yellow Caution Sign then click Promote this server to a domain controller.
  2. At the Deployment Configuration screen under the Select the deployment operation make sure Add a domain controller to an existing domain is selected.
  3. Under the Specify the domain information for this operation section enter killerhomelab.com for the Domain name.
  4. Under the Supply the credentials to perform this operation click Change.
  5. At the Credentials for deployment operation enter the credentials that were used to run the promotion on OP-DC then click OK, then Next.***Note:  Make sure the format is DOMAIN\Account (Ex: KILLERHOMELAB\khl-adminAs you can see on the next screen the Site name: has already been selected for us.  This is because the server is Site Aware.  Site Awareness allows a server to determine which AD Site it is a part of based on its IP subnet.  Since we associated the 10.1.0.0/16 subnet to the Azure-KHL AD Site earlier it the article, the server has already chosen its Site Name.

6.  At the Domain Controller Options screen enter a password under the Type the Directory Services Restore Mode (DSRM) password section then click Next.

7.  At the DNS Options screen click Next.

8.  At the Additional Options screen click Next.

9.  At the Paths screen click Next.

10. At the Review Options screen click Next.

11. At the Prerequisites Check screen click Install.

12. When setup completes Reboot the Server.

 

Once KHL-DC completes its reboot it is now a Domain Controller within the killerhomelab.com Domain.  Even though it has successfully been promoted, we must wait until it has completed replication before continuing.

 

Next we will make another tweak to the KHL-DC and that will be to its IPv6 DNS Server SettingSince we will not be configuring IPv6 in our lab, we will remove the IPv6 loopback entry from our IPv6 DNS Settings.

  1. Log onto KHL-DC.
  2. On the right side of the Taskbar right-click the Network Connection and select Open Network and Sharing Center.
  3. In the right-pane click on Change adapter settings.
  4. Right-click Ethernet and select Properties.
  5. Highlight Internet Protocol Version 6 (TCP/Ipv6) then click the Properties button.
  6. Select Obtain DNS Server address automatically then click OK, Close.

Configuring DNS Pointer Records for KHL-DC

  1. From within Server Manager click on Tools and select DNS.

      2. Select then right-click the 0.1.10.in-addr-arpa zone and select New Pointer (PTR)…

3.  Click on the Browse button the double-click KHL-DC | Forward Lookup Zones | killerhomelab.com then scroll down and select the KHL-DC A Record and click OK, OK.

To verify our DNS Configuration let’s run an nslookup and verify it results are as shown below:

Default Server:   op-dc.killerhomelab.com

Address:    192.168.1.2

Finally, we will be making one last change to our DNS Server settings on OP-DC.  We will be setting its DNS Server settings to point to KHL-DC for its Primary DNS and itself for Alternate DNS.

  1. Log onto OP-DC.
  2. On the right side of the Taskbar right-click the Network Connection and select Open Network and Sharing Center.
  3. In the right-pane click on Change adapter settings.
  4. Right-click Ethernet and select Properties.
  5. Highlight Internet Protocol Version 4 (TCP/IPv4) then click the Properties button.
  6. Under Use the following DNS server addresses: enter the following:

Preferred DNS Server:                   10.1.0.4

Alternate DNS Server:                    192.168.1.2

 

Now that we have both of our Domain Controllers up and running, let’s make sure that they are replicating correctly.  We will do this by creating a test account on OP-DC and then forcing its replication to the KHL-DC.  Let’s start by creating the account.

 

  1. From within Server Manager click on Tools and select Active Directory Users and Computers.
  2. Leave your existing ADUC (Active Directory Users and Computers) open then from within Server Manager click on Tools and select Active Directory Users and Computers to open a 2nd ADUC window.
  3. In the 2nd window from the Left-pane right-click Active Directory Users and Computers [OP-DC.killerhomelab.com] then select Change Domain Controller.

4.  At the Change Directory Server pop-up select KHL-DC.killerhomelab.com then click OK.

5.  From within Server Manager click on Tools and select Active Directory Sites and Services.

6.  Arrange the 2 ADUC windows and 1 Active Directory Sites and Services window as shown below:

7.  From the OP-DC ADUC instance within the Left-Pane expand killerhomelab.com then right-click Users and select New | User.

8.  At the New Object – User screen enter the following then click Next:

First name:                 KHL

Last name:                  User1

Full name:                   KHL User1

User logon name:       KHL-User1

9.  At the password screen enter the following and uncheck User must change password at next logon then click Next, then Finish:

Password:                                   P@$$w0rd1

Confirm password:                      P@$$w0rd1

 

At this point we have created our account on OP-DC but it has not been replicated over to KHL-DC.  Let’s switch to the KHL-DC ADUC Instance and verify the account does not exist yet.

  1. From the KHL-DC ADUC instance within the Left-Pane expand killerhomelab.com then right-click Users and select Refresh.

 

As shown above you can see that KHLUser1 exists on OP-DC but has not been replicated to KHL-DC.  To force replication we will be using the Active Directory Sites and Services console which we opened earlier.  Follow the steps below to force the replication of the KHLUser1 object from OP-DC to KHL-DC.

  1. Switch to the Active Directory Sites and Services window then within the Left-Pane expand Sites | Azure-KHL | Servers | KHL-DC then select NTDS Settings.
  2. In the Right-Pane right-click the <automatically generated> connection object to OP-DC and select Replicate.

3.  At the Replicate Now pop-up click OK.

4.  From the KHL-DC ADUC instance within the Left-Pane expand killerhomelab.com then right-click Users and select Refresh.

As you can see our user KHLUser1 has successfully been replicated.  You have now deployed a Multi-Site Active Directory Infrastructure!!!  This completes Part 2 of the Killer Home Lab Series.  In Part 3 we will be deploying a PKI Infrastructure within our lab using Microsoft Active Directory Certificate Services. Have fun with the lab!!!

Thanks,

Elliott

Comments (0)

Skip to main content