Contact UsGet started

Deploying Active Directory

Written by
Updated at May 7, 2025

Warning

In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.

The tutorial provides an example of how to deploy Active Directory in Yandex Cloud.

To deploy the Active Directory infrastructure:

  1. Get your cloud ready.
  2. Create a cloud network and subnets.
  3. Create a script to manage a local administrator account.
  4. Create a virtual machine for Active Directory.
  5. Create a VM for a bastion host.
  6. Install and configure Active Directory.
  7. Configure the second domain controller.
  8. Test Active Directory.

If you no longer need the infrastructure, delete all the resources it uses.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

The Active Directory installation cost includes:

Create a cloud network and subnets

Create a cloud network named ad-network with subnets in all availability zones where your VMs will be located.

  1. Create a cloud network:

    To create a cloud network:

    1. Open the Virtual Private Cloud section of the folder where you want to create a cloud network.
    2. Click Create network.
    3. Enter the network name: ad-network.
    4. Click Create network.

    If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    To create a cloud network, run this command:

    yc vpc network create --name ad-network

  2. Create three subnets in ad-network:

    To create a subnet:

    1. Open the Virtual Private Cloud section in the folder where you want to create a subnet.
    2. Click the cloud network name.
    3. Click Add subnet.
    4. Fill out the form: enter ad-subnet-a as the subnet name and select the ru-central1-a availability zone from the drop-down list.
    5. Enter the subnet CIDR: IP address and subnet mask 10.1.0.0/16.
    6. Click Create subnet.

    Repeat these steps for two more subnets:

    • Name: ad-subnet-b: Availability zone: ru-central1-b. CIDR: 10.2.0.0/16.
    • Name: ad-subnet-d. Availability zone: ru-central1-d. CIDR: 10.3.0.0/16.

    To create subnets, run these commands:

    yc vpc subnet create \
  --name ad-subnet-a \
  --zone ru-central1-a \
  --network-name ad-network \
  --range 10.1.0.0/16

yc vpc subnet create \
  --name ad-subnet-b \
  --zone ru-central1-b \
  --network-name ad-network \
  --range 10.2.0.0/16

yc vpc subnet create \
  --name ad-subnet-d \
  --zone ru-central1-d \
  --network-name ad-network \
  --range 10.3.0.0/16

Create a script to manage a local administrator account

When creating a VM via the CLI, you need to set a password for a local administrator account.

To do this, in the root folder of the command line, create a file named setpass without an extension. Copy the script to the file and set your password:

#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)

The password must meet the complexity requirements.

You can read more about the best practices for securing Active Directory on the MS official website.

Create a VM for Active Directory

Create two VMs for Active Directory domain controllers. These VMs will not have internet access.

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image:

    • Go to the Custom tab.
    • Click Select and select Create in the window that opens.
    • In the Contents field, select Image and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload your own image for Microsoft products, see Importing a custom image.
    • Optionally, enable Additional in the Delete along with the virtual machine field if you need to automatically delete this disk when deleting the VM.
    • Click Add disk.

  3. Under Location, select the ru-central1-a availability zone.

  4. Under Disks and file storages, enter 50 GB as your boot disk size.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake.
    • vCPU: 4.
    • Guaranteed vCPU performance: 100%
    • RAM: 8 GB.

  6. Under Network settings, specify:

    • Subnet: ad-subnet-a.
    • Public IP address: No address.
    • Expand the Additional section; in the Internal IPv4 address field, select Manual.
    • In the input field that appears, enter 10.1.0.3.

  7. Under General information, specify the VM name: ad-vm-a.

  8. Click Create VM.

Wait for the VM status to change to Running and reset the password:

  1. Select the VM.
  2. Click Reset password.
  3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
  4. Click Generate password.
  5. Save the New password. It will become unavailable once you close the window.

Repeat the steps for the ad-vm-b VM in the ru-central1-b availability zone, connect it to the ad-subnet-b subnet, and manually specify the internal IP address: 10.2.0.3.

yc compute instance create \
  --name ad-vm-a \
  --hostname ad-vm-a \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-a \
  --network-interface subnet-name=ad-subnet-a,ipv4-address=10.1.0.3 \
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk \
  --metadata-from-file user-data=setpass

yc compute instance create \
  --name ad-vm-b \
  --hostname ad-vm-b \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-b \
  --network-interface subnet-name=ad-subnet-b,ipv4-address=10.2.0.3 \
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk \
  --metadata-from-file user-data=setpass

Note

The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

For more information, see Specifics of providing environment variables in metadata via the CLI.

Create a VM for a bastion host

A file server with internet access is used to configure VMs with Active Directory.

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image:

    • Go to the Custom tab.
    • Click Select and select Create in the window that opens.
    • In the Contents field, select Image and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload your own image for Microsoft products, see Importing a custom image.
    • Optionally, enable Additional in the Delete along with the virtual machine field if you need to automatically delete this disk when deleting the VM.
    • Click Add disk.

  3. Under Location, select the ru-central1-d availability zone.

  4. Under Disks and file storages, enter 50 GB as your boot disk size.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake.
    • vCPU: 2.
    • Guaranteed vCPU performance: 100%.
    • RAM: 4 GB.

  6. Under Network settings:

    • In the Subnet field, select ad-subnet-d.
    • In the Public IP address field, leave Auto.

  7. Under General information, specify the VM name: jump-server-vm.

  8. Click Create VM.

Wait for the VM status to change to Running and reset the password:

  1. Select the VM.
  2. Click Reset password.
  3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
  4. Click Generate password.
  5. Save the New password. It will become unavailable once you close the window.
yc compute instance create \
  --name jump-server-vm \
  --hostname jump-server-vm \
  --memory 4 \
  --cores 2 \
  --zone ru-central1-d \
  --network-interface subnet-name=ad-subnet-d,nat-ip-version=ipv4 \
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk \
  --metadata-from-file user-data=setpass

Install and configure Active Directory

Active Directory VMs do not have internet access. To configure them, use jump-server-vm through RDP.

  1. Connect to jump-server-vm through RDP. Use Administrator as your username and your password.

  2. Run RDP and connect to ad-vm-a using its local IP address, the Administrator username and your password.

  3. Run PowerShell and set a static IP address:

    netsh interface ip set address "eth0" static 10.1.0.3 255.255.255.0 10.1.0.1

  4. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

    Result:

    Success  Restart Needed  Exit Code  Feature Result
-------  --------------  ---------  --------------
True     No              Success    {Active Directory Domain Services, Group P...

  5. Create an Active Directory forest:

    Install-ADDSForest -DomainName 'yantoso.net' -Force:$true

    Next, enter the password and confirm it.

    Windows will restart automatically. Reconnect to ad-vm-a and launch PowerShell.

  6. Rename the default site to ru-central1-a:

    Get-ADReplicationSite 'Default-First-Site-Name' | Rename-ADObject -NewName 'ru-central1-a'

  7. Create two more sites for the other availability zones:

    New-ADReplicationSite 'ru-central1-b'
New-ADReplicationSite 'ru-central1-d'

  8. Create subnets and link them to the sites:

    New-ADReplicationSubnet -Name '10.1.0.0/16' -Site 'ru-central1-a'
New-ADReplicationSubnet -Name '10.2.0.0/16' -Site 'ru-central1-b'
New-ADReplicationSubnet -Name '10.3.0.0/16' -Site 'ru-central1-d'

  9. Rename the site link and configure replication:

    Get-ADReplicationSiteLink 'DEFAULTIPSITELINK' | `
    Set-ADReplicationSiteLink -SitesIncluded @{Add='ru-central1-b'} -ReplicationFrequencyInMinutes 15 -PassThru | `
    Set-ADObject -Replace @{options = $($_.options -bor 1)} -PassThru | `
    Rename-ADObject -NewName 'ru-central1'

  10. Set the DNS server forwarder:

    Set-DnsServerForwarder '10.1.0.2'

  11. Configure the DNS client:

    Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.2.0.3,127.0.0.1"

Configure the second domain controller

  1. Connect to jump-server-vm through RDP.

  2. Using RDP, connect to ad-vm-b using its local IP address, the Administrator username, and your password.

  3. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

    Result:

    Success  Restart Needed  Exit Code       Feature Result
-------  --------------  ---------       --------------
True     No              NoChangeNeeded  {}

  4. Configure the DNS client:

    Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.1.0.3,127.0.0.1"

  5. Configure a static IP address:

    netsh interface ip set address "eth0" static 10.2.0.3 255.255.255.0 10.2.0.1

  6. Add the controller to the domain:

    Install-ADDSDomainController `
    -Credential (Get-Credential "yantoso\Administrator") `
    -DomainName 'yantoso.net' `
    -Force:$true

    Next, enter the password and confirm it.

    Windows will restart automatically. Reconnect to ad-vm-b and launch PowerShell.

  7. Set the DNS server forwarder:

    Set-DnsServerForwarder '10.2.0.2'

Test Active Directory

  1. Connect to jump-server-vm through RDP.

  2. Using RDP, connect to ad-vm-b using its local IP address, the Administrator username, and your password. Launch PowerShell.

  3. Create a test user:

    New-ADUser testUser

  4. Make sure the user is present on both servers:

    Get-ADUser testUser -Server 10.1.0.3
Get-ADUser testUser -Server 10.2.0.3

    The results of both commands must be the same:

    DistinguishedName : CN=testUser,CN=Users,DC=yantoso,DC=net
Enabled           : False
GivenName         :
Name              : testUser
ObjectClass       : user
ObjectGUID        : 7202f41a-(...)-2d168ecd5271
SamAccountName    : testUser
SID               : S-1-5-21-(...)-1105
Surname           :
UserPrincipalName :

How to delete the resources you created

To stop paying for the deployed servers, delete all the VMs you created.

Previous
Secure password transmission to an initialization script
Next
Deploying Microsoft Exchange