Deploying Active Directory
- Prepare your cloud
- Create a cloud network and subnets
- Create a script to manage a local administrator account
- Create a VM for Active Directory
- Create a VM for a bastion host
- Install and configure Active Directory
- Configure the second domain controller
- Test Active Directory
- How to delete the resources you created
Warning
In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.
The scenario provides an example of how to deploy Active Directory in Yandex Cloud.
To deploy the Active Directory infrastructure:
- Prepare your cloud.
- Create a cloud network and subnets.
- Create a script to manage a local administrator account.
- Create a virtual machine for Active Directory.
- Create a VM for a bastion host.
- Install and configure Active Directory.
- Configure the second domain controller.
- Test Active Directory.
If you no longer need the infrastructure, delete all the resources it uses.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Note
Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.
Required paid resources
The Active Directory installation cost includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
- Fee for outbound traffic from Yandex Cloud to the internet (see Compute Cloud pricing).
Create a cloud network and subnets
Create a cloud network named ad-network
with subnets in all availability zones where your VMs will be located.
-
Create a cloud network:
Management consoleCLITo create a cloud network:
- Open the Virtual Private Cloud section of the folder where you want to create a cloud network.
- Click Create network.
- Enter the network name:
ad-network
. - Click Create network.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.To create a cloud network, run the command:
yc vpc network create --name ad-network
-
Create three subnets in
ad-network
:Management consoleCLITo create a subnet:
- Open the Virtual Private Cloud section in the folder to create a subnet in.
- Click the name of the cloud network.
- Click Add subnet.
- Fill out the form: enter
ad-subnet-a
as the subnet name and select theru-central1-a
availability zone from the drop-down list. - Enter the subnet CIDR: IP address and
10.1.0.0/16
as subnet mask. - Click Create subnet.
Repeat the steps for two more subnets:
- Name:
ad-subnet-b
: Availability zone:ru-central1-b
. CIDR:10.2.0.0/16
. - Name:
ad-subnet-d
. Availability zone:ru-central1-d
. CIDR:10.3.0.0/16
.
To create subnets, run the following commands:
yc vpc subnet create \ --name ad-subnet-a \ --zone ru-central1-a \ --network-name ad-network \ --range 10.1.0.0/16 yc vpc subnet create \ --name ad-subnet-b \ --zone ru-central1-b \ --network-name ad-network \ --range 10.2.0.0/16 yc vpc subnet create \ --name ad-subnet-d \ --zone ru-central1-d \ --network-name ad-network \ --range 10.3.0.0/16
Create a script to manage a local administrator account
When creating a VM via the CLI, you need to set a password for a local administrator account.
To do this, in the root folder of the command line, create a file named setpass
without an extension. Copy the script to the file and set your password:
#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)
The password must meet the complexity requirements
You can read more about the best practices for securing Active Directory on the MS official website
Create a VM for Active Directory
Create two VMs for Active Directory domain controllers. These VMs will not have internet access.
- On the folder page in the management console
, click Create resource and select Virtual machine. - In the Name field, enter the VM name:
ad-vm-a
. - Select the
ru-central1-a
availability zone. - Under Image/boot disk selection → Cloud Marketplace click Show more. In the window that opens, select the Windows Server 2022 Datacenter image and click Use.
- Under Disks, enter 50 GB for the size of the boot disk.
- Under Computing resources:
- Select the platform: Intel Ice Lake.
- Specify the required number of vCPUs and the amount of RAM:
- vCPU: 4.
- Guaranteed vCPU share: 100%
- RAM: 8 GB
- Under Network settings:
- Select the
ad-subnet-a
subnet. - Public address: No address.
- Internal address: Select Manual and specify
10.1.0.3
.
- Select the
- Click Create VM.
Wait for the VM status to change to Running
and reset the password:
- Select the VM.
- Click Reset password.
- Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
- Click Generate password.
- Save the New password. It will become unavailable once you close the window.
Repeat the steps for the ad-vm-b
VM in the ru-central1-b
availability zone, connect it to the ad-subnet-b
subnet, and manually specify the internal IP address: 10.2.0.3
.
yc compute instance create \
--name ad-vm-a \
--hostname ad-vm-a \
--memory 8 \
--cores 4 \
--zone ru-central1-a \
--network-interface subnet-name=ad-subnet-a,ipv4-address=10.1.0.3 \
--create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk \
--metadata-from-file user-data=setpass
yc compute instance create \
--name ad-vm-b \
--hostname ad-vm-b \
--memory 8 \
--cores 4 \
--zone ru-central1-b \
--network-interface subnet-name=ad-subnet-b,ipv4-address=10.2.0.3 \
--create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk \
--metadata-from-file user-data=setpass
Create a VM for a bastion host
A file server with internet access is used to configure VMs with Active Directory.
- On the folder page in the management console
, click Create resource and select Virtual machine. - In the Name field, enter the VM name:
jump-server-vm
. - Select the
ru-central1-d
availability zone. - Under Image/boot disk selection → Cloud Marketplace click Show more. In the window that opens, select the Windows Server 2022 Datacenter image and click Use.
- Under Disks, enter 50 GB for the size of the boot disk.
- Under Computing resources:
- Choose a platform: Intel Ice Lake.
- Specify the required number of vCPUs and the amount of RAM:
- vCPU: 2
- Guaranteed vCPU share: 100%
- RAM: 4 GB
- Under Network settings, select
ad-subnet-d
. Under Public address, select Automatically. - Click Create VM.
Wait for the VM status to change to Running
and reset the password:
- Select the VM.
- Click Reset password.
- Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
- Click Generate password.
- Save the New password. It will become unavailable once you close the window.
yc compute instance create \
--name jump-server-vm \
--hostname jump-server-vm \
--memory 4 \
--cores 2 \
--zone ru-central1-d \
--network-interface subnet-name=ad-subnet-d,nat-ip-version=ipv4 \
--create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk \
--metadata-from-file user-data=setpass
Install and configure Active Directory
Active Directory VMs do not have internet access. To configure them, use the jump-server-vm
VM through RDP
-
Connect to
jump-server-vm
through RDP. UseAdministrator
for username, and your password. -
Run RDP and connect to
ad-vm-a
using its local IP address,Administrator
username and your password. -
Run PowerShell and set a static IP address:
netsh interface ip set address "eth0" static 10.1.0.3 255.255.255.0 10.1.0.1
-
Assign Active Directory roles:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Result:
Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Active Directory Domain Services, Group P...
-
Create an Active Directory forest:
Install-ADDSForest -DomainName 'yantoso.net' -Force:$true
Then enter the password and confirm it.
Windows restarts automatically. Reconnect to
ad-vm-a
and launch PowerShell. -
Rename the default site to
ru-central1-a
:Get-ADReplicationSite 'Default-First-Site-Name' | Rename-ADObject -NewName 'ru-central1-a'
-
Create two more sites for the other availability zones:
New-ADReplicationSite 'ru-central1-b' New-ADReplicationSite 'ru-central1-d'
-
Create subnets and link them to the sites:
New-ADReplicationSubnet -Name '10.1.0.0/16' -Site 'ru-central1-a' New-ADReplicationSubnet -Name '10.2.0.0/16' -Site 'ru-central1-b' New-ADReplicationSubnet -Name '10.3.0.0/16' -Site 'ru-central1-d'
-
Rename the site link and configure replication:
Get-ADReplicationSiteLink 'DEFAULTIPSITELINK' | ` Set-ADReplicationSiteLink -SitesIncluded @{Add='ru-central1-b'} -ReplicationFrequencyInMinutes 15 -PassThru | ` Set-ADObject -Replace @{options = $($_.options -bor 1)} -PassThru | ` Rename-ADObject -NewName 'ru-central1'
-
Set the DNS redirect server:
Set-DnsServerForwarder '10.1.0.2'
-
Configure the DNS client:
Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.2.0.3,127.0.0.1"
Configure the second domain controller
-
Connect to
jump-server-vm
through RDP. -
Using RDP, connect to
ad-vm-b
using its local IP address, theAdministrator
username, and your password. -
Assign Active Directory roles:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Result:
Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No NoChangeNeeded {}
-
Configure the DNS client:
Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.1.0.3,127.0.0.1"
-
Configure a static IP address:
netsh interface ip set address "eth0" static 10.2.0.3 255.255.255.0 10.2.0.1
-
Add the controller to the domain:
Install-ADDSDomainController ` -Credential (Get-Credential "yantoso\Administrator") ` -DomainName 'yantoso.net' ` -Force:$true
Then enter the password and confirm it.
Windows will restart automatically. Reconnect to
ad-vm-b
and launch PowerShell. -
Set the DNS redirect server:
Set-DnsServerForwarder '10.2.0.2'
Test Active Directory
-
Connect to
jump-server-vm
through RDP. -
Using RDP, connect to
ad-vm-b
using its local IP address, theAdministrator
username, and your password. Launch PowerShell. -
Create a test user:
New-ADUser testUser
-
Make sure the user is present on both servers:
Get-ADUser testUser -Server 10.1.0.3 Get-ADUser testUser -Server 10.2.0.3
The results of both commands must be the same:
DistinguishedName : CN=testUser,CN=Users,DC=yantoso,DC=net Enabled : False GivenName : Name : testUser ObjectClass : user ObjectGUID : 7202f41a-(...)-2d168ecd5271 SamAccountName : testUser SID : S-1-5-21-(...)-1105 Surname : UserPrincipalName :
How to delete the resources you created
To stop paying for the deployed servers, delete all the VMs.