In this post, I’ll show you how to deploy a virtual machine-based Active Directory domain in Azure using an Azure Resource Management (ARM) template.
As you might tell from the frequency of my Azure content here on Petri.com, I use Azure a lot. I use the Azure benefit from an MSDN Premium subscription. This gives me a monthly allocation of free credit, so my test work doesn’t impact my credit card. But this work comes at another price: Whenever I am finished with a test or demo, I have to destroy every part of that demo so that it doesn’t accrue any further charges to my account.
A lot of my demo labs require some kind of legacy Active Directory. For example, I recently wrote a series of articles on Azure RemoteApp. Every RemoteApp scenario that I’ve encountered in the real world requires a legacy Active Directory that is synchronized via Azure AD Connect. This gives me users, computers, group policy, and OUs that I can deploy to RemoteApp users in conjunction with other domain-joined virtual machine-based services.
And that’s where I spend a lot of my time — deploying and configuring domain controllers. Imagine this scenario:
- Day 1: Deploy a new domain to write article X, write the article, and destroy the entire resource group, including the domain to save Azure credit.
- Day 4: Deploy a new domain to write article Y, write the article, and destroy the entire resource group, including the domain to save Azure credit.
- Day 7: Deploy a new domain to write article Z, write the article, and destroy the entire resource group, including the domain to save Azure credit.
And you get the idea. It seems like I’m spending a lot of time deploying a new domain. That would be no different for a consultant who is deploying new Azure services for lots of clients or an engineer who is building test or evaluation environments.
I’m working more and more with Azure Resource Management (ARM), and most of you will too over the next year, so I wondered… Has someone created and shared a template for deploying domain controllers? The answer is: Yes.
ARM is based on the concept of reusable JSON templates; you build a template of a solution and upload that template to Azure to deploy a stamp. This cookie-cutter approach means that:
- You test and develop a template once.
- You can repeatedly deploy that template many times.
- The time you invest in creating the template is saved many times over.
The template that I want to show you is called “Create an new AD Domain with 2 Domain Controllers.” If you deploy this template, it will create a resource group with:
- 2 domain controller virtual machines in an availability set.
- The necessary NICs, virtual network and load balancer.
- Any required storage.
- Run-scripts to create a domain with the name of your own choosing.
With this template, you get a predictable result, and it does all this while you can be doing some other work. This is a major time saver.
You can learn much more about the template by:
- Following the link to Learn More On GitHub; here you can view the code that deploys the solution.
- Viewing the visualization of the template in GitHub.
Using the Template
While you can use PowerShell to deploy the template, probably the easiest way to use it is to click the Deploy To Azure button. This action will open the Azure Portal in a new browser tab and load a blade that allows you to configure the settings of the new domain.
There are lots of settings that you can configure, which are documented on the Microsoft template directory page. Interesting options include:
- Select a region.
- Select an existing resource group or create a new one.
- Configure a new storage account.
- Create and configure a virtual network, including a load balancer with NAT rules for Remote Desktop.
- Name the new domain administrator and set the password.
- Choose the options for the new virtual machines, including the operating system and virtual machine spec.
- Configure the domain name of the Active Directory domain (DOMAINNAME) and of the public IP address for the load balancer (DNSPREFIX).
You might find that some of the options are too restrictive. For example, the list of possible Azure regions in the template is small. You might want to remove features, or you might want to add features. For example, network security groups are not created by this template. If that’s the case, then you can follow the Edit Template link to modify the original JSON template for this deployment.
You can make selections or enter names for items in Parameters, confirm the legal stuff, and click Create, and a short while later, you’ll have a fully functional domain. Note that the domain controllers won’t have the Active Directory administration tools installed, but you can either manage them remotely or add the features later in Server Manager or by PowerShell.
You might encounter a rather unhelpful bad request error when you click Create. You can dive deep into the error by browsing to Audit Logs and look for validate errors. Somewhere in the template, one of the settings that you selected didn’t pass a validation test and you can troubleshoot that error with the audit log entries.