I’ve worked with a handful of companies helping them integrate their on-premises infrastructure with Azure. About half of them already have an Active Directory domain. If you’re coming from one of those companies, you can skip this blog entry and wait for the next one.
But the other half of the companies I’ve helped were smaller. Many of them started in Azure first and then expanded into some on-premises infrastructure. This blog entry is for companies like that. You have an Azure and/or an Office 365 account, and now you want to add something like a local SQL server to your infrastructure and you want it to use Windows authentication. Let’s get started!
Build a Windows Server
You can build a physical or virtual server here. This instance won’t require a lot of resources. I’m going virtual on VMWare, and I’ve allocated 2 cores and 4GB of ram. After getting completely through this install, the VM consumes about 5% of the CPU and about 50% of the ram when idle, and that peaks at about 50% CPU, and 75% ram during sync operations. I could probably get away with dropping one of those CPUs from the server.
I’m also going with Windows Server 2019. You can get away with older versions, but the instructions and screen captures I’ll share may look different when you follow along.
In VMware, the install is pretty painless. You have to download an ISO file for Windows Server (I got mine through my MSDN license). From there, start-up VMWare’s New Virtual Machine Wizard, select the location where you stored the ISO. Then choose where to store your new VM, allocate CPU and ram to the new VM, and hit Finish. After 15 minutes you’re looking at your new machine.
Once you’re able to log in to your new machine you’re going to want to set up networking. I suggest turning off IPv6 on your machine’s network connection. I’ve never had good luck with domain controllers and IPv6. I’m sure it could work…somehow. For your IPv4 settings, you need to set a static IP address that’s available on your network. Also, change the secondary DNS server to 127.0.0.1. In addition to this machine serving as your primary domain controller, it’s also going to pull some DNS duties.
Next, we need to add some roles and features to the server. Open server manager and click Manage -> Add Roles and Features. Skip past the before you begin. On the second screen, choose “Role-Based or feature-based installation.”
On the next screen, keep the local server selected as your target server. Then on Server Roles, You want Active Directory Domain Services, and DNS Server Roles selected.
The only features you need are AD DS and AD LDS Tools. So hit next, confirm the choices, and hit install. You can continue other work on this server while the install completes. When finished, you should notice the Server Manager has an alert for you. You need to promote this server to a domain controller.
For this walkthrough, we’re standing up our very first domain controller, so we select Add a new forest. For the root domain name, you can set it to anything you’d like, but you’ll want it to be a domain you can also use with Azure Active Directory. In my case, I own the domain toyboxcreations.net. That’s a domain I already use with my Azure and Office 365 accounts, so I use that here. Hit next to continue.
On the next screen, we need to configure our domain controller options.
Choose 2016 as our functional level, since that’s the latest available. Check DNS server as well as Global Catalog. For the password, choose a strong password, and store it in your password manager so you don’t lose it!
Next, we need to set the Netbios Name. In my case, since I’m setting up a toyboxcreations.net domain, I’ll choose the NetBIOS name Toyboxcreations. Try to keep it close to the full domain name you selected previously.
For paths, leave those set to defaults, unless you’ve got a good reason to change them.
Finally, review your options, and let Windows check all the prerequisites for setting up your domain. So long as there are no errors, you will be able to finalize the install and let it run.
Your server will restart, and you’ll be able to start setting up users and computers on your new domain. At a minimum, I’d create a user account for yourself, as well as a domain administrator account. You’ll use those in later steps to integrate your new domain controller with Azure Active Directory!
After following these steps, you’re ready to tackle the next steps of integration. If you have any problems, let me know!