Latest posts by Sander Berkouwer (see all)
- Turn the tables on your organization with Adaxes 2018.1's Web Interface and reporting capabilities - Thu, Sep 20 2018
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
Our test lab ^
We’ll be using Microsoft Azure to host our lab environment.
In this step-by-step guide, we’ll be building five installations with Windows Server 2012 R2:
- An Active Directory Domain Controller (DC), also acting as the DNS Server and Enterprise Root Certificate Authority (CA) for our environment
- An Active Directory Federation Services (AD FS) Server
- A Web App Proxy
- A Webserver with the Windows Identity Foundation SDK and several websites
- A File Server with a Sync Share
Graphical representation ^
When you put the virtual machines together, you’ll get the equivalent of this:
Graphical representation of the test lab
Now, let’s start building!
Step 1: Getting started with Microsoft Azure ^
Azure is Microsoft’s cloud computing platform and infrastructure for building, deploying, and managing applications and services through a global network of Microsoft-managed datacenters. We’ll be using several Azure services, such as Azure virtual machines.
You can create a trial subscription with Microsoft Azure. All you have to do is wave a credit card and you’re good to go, with a capped trial subscription for a limited free amount of spending for a limited amount of time. Depending on your location, you might see the equivalent of $100 USD for a period of 60 days.
Microsoft Azure is not available in every country.
Assuming you already have an Azure subscription, you can go ahead and visit https://manage.windowsazure.com. You will be redirected to the Microsoft Active Directory Federation Services infrastructure to log on with either a Microsoft Account (previously known as a Windows Live ID) or an Organizational ID.
This is your first introduction into federation and claims-based authentication, and it simply works.
Step 2: Create your virtual network ^
As the first thing in Windows Azure, we’ll create a virtual network.
When you read the Azure Networking Fundementals, you’ll discover that you can use virtual networks to create a logical boundary around a group of virtual machines (VMs).
In the left bar containing all the items you can create within Microsoft Azure, choose Networks.
Since we haven’t created a network before, we will Create a virtual network:
Create a virtual network, Part 1
In the Name field, type something appropriate to identify this virtual network.
Create a virtual network, Part 2
Since the option to Create a new affinity group is selected under Affinity group, you need to select a region and specify an affinity group name. Choose the region representing the physical location closest to you; for the affinity group name, choose the same name as the virtual network name.
Then, the button with the forward arrow in the bottom right corner to go to screen 3.
Next—and this is important—specify the DNS Servers on the newly created virtual network. Although we haven’t yet created the Domain Controller, we already have to specify it together with the IP address that Microsoft Azure will dynamically assign to it.
Azure internals aside, the first three IPv4 addresses in an Azure virtual network are reserved. Therefore, the fourth IPv4 address is the first IPv4 address that will be assigned to the first VM on the virtual network.
This implies you need to start the VM that represents the Domain Controller before you start any other VM in the network.
I’ve chosen to use the 10.0.0.0/8 class A network as the IPv4 IP range for the virtual network and DC1 as the name for the Domain Controller, so I enter that name and 10.0.0.4 as the IP address for the DNS Server on the network.
You can use any IPv4 address range you like, as long as it makes sense from a subnetting perspective.
Click the button with the forward arrow in the bottom right corner to go to the next screen.
Create a virtual network, Part 3
As Microsoft Azure detects the network is indeed the 10.0.0.0/8 network, it will show the virtual network specifics as above. Click the button with the checkmark to create the virtual network and close the Create a virtual network wizard.
Step 3: Create the Domain Controller VM ^
Now that we have the virtual network created with a name server, it’s time to actually build that virtual machine and actually make it a suitable name server.
In the left bar containing the items you can create within Microsoft Azure, choose Virtual Machines. Next, choose to create a VM From Gallery.
From the vast range of templates in the Azure virtual machine gallery, choose Windows Server 2012 R2 Datacenter.
As you can see, you can create all sorts of VMs in Azure. Officially supported Linux-based VMs can even be configured to run on Microsoft’s Azure. Who would’ve thought that ten years ago?
Configure the VM with these settings:
- Choose a specific version release date, or accept the default version release, which is the most recent version release. Since Azure VMs are based on templates, this defines the template you’ll be working from and defines the base patch level.
Choose the same version release date for all the Azure VMs that will be working together in this lab, to make sure everything works together optimally.
- Give the VM a meaningful virtual machine name. I named mine DC1.
- Choose a specific VM size. The size for the VMs in your BYOD lab environment specifies both the performance of the VM (in terms of processor and available RAM) and the price per hour for running the VM.
Choose Small (A1) when you create the VM. This will result in a $60 USD per month price tag, but you can size it back to extra small (A0) later. This change requires a reboot of the Azure VM, but that is not such a big deal.
- Next, create a user name, with administrative privileges, for the default account. This configuration question makes your VM more secure by not offering the built-in default Administrator account name for remote desktop and remote management purposes.
- For remote purposes, an account needs a password, so supply one and then confirm it by typing it again.
When both passwords match, you’ll see a green circle with a checkmark in it to indicate so.
Create a VM in Azure, Part 1
Click the button with the forward arrow in the bottom right corner to go to screen 2.
On this screen, we’re able to create a new cloud service. Azure Cloud Services are endpoints for access and management. Since we haven’t yet configured a cloud service, this is a good time to create one. Luckily, it is selected by default.
Give the Azure cloud service a meaningful cloud service DNS name. For the purpose of this lab environment, we’ll call it 4sysops.cloudapp.net. From now on, we’ll point to this DNS name for all remote desktop and remote management tasks, and we’ll even access it later on.
All the other settings are good to go, so all we have to do now is click the forward arrow in the bottom right corner to create our DC1.
Create a VM in Azure, Part 2
Step 4: Create the four additional virtual machines ^
With the actions outlined in Step 3, create four additional Azure VMs:
As you’ll notice, when you create additional VMs in Azure, you don’t want to create additional Azure Cloud Services. Instead, choose the 4sysops cloud service you created earlier.
Although all Azure VMs in the Azure Cloud Service will be accessed through the same DNS name, their remote desktop ports and remote management ports will be dynamically assigned upon creation of the VMs to access them individually.
We’ve created an initial foothold within Microsoft Azure, with a virtual network and a handful of virtual machines. So far, this has taken less time and resulted in fewer headaches than creating VMs on a (dedicated) demo device. We’re off to a good start!
In my next post I will explain how to configure the Active Directory Domain Controller and the Active Directory Certificate Services Certification Authority.