Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 4

Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 4

23. Deploy and manage domain controllers in Azure

I now want to look at how we can log on to Azure and set up a virtual machine in the cloud that could be a domain controller for us.

So, if you wanted, you could bypass doing in on-premise domain controller. You could set up a domain controller right out in the cloud, just as though it was something that was hosted on-premise.

So how do we do that? Well, first and foremost, you need to have gone through the earlier videos where I demonstrate how to set up your Microsoft 365 and Azure account. There’s another video that shows you how to set up an Azure subscription.

So you need to make sure you’ve watched those and done those before you try to attempt this yourself or else you are welcome to just watch me do it. But if you want to try it yourself, you need to make sure you’ve done those earlier steps.

OK, here I am on Portal Dot Azure rt.com OK, I’m going to go to this little menu button here, and I’m going to go to research groups and I’m going to create a little research group.

So a research group is just a little container that that you can put virtual machines and other azure objects inside.

So, I’m going to call this research group. I’m just going to call it the test. All right. You name it what you want. For the most part, although there are rules on you can’t have spaces and things like that. I try to put a space. You’ll you’ll notice it’ll give an error, but I’m going to call it the test and then I’m going to specify the region. I’m going to put east U.S.. You would obviously want to put a region near where you live, because that’s going to involve the data center, where the virtual machine files are going to stay calm and a click review and create and then click to create and the resource group will get created relatively quickly.

OK, so, I’m going to go into the VM Test Resource Group. And I’m going to create a resource in the resource group that’s going to be a virtual machine, so, I’m going to click Create. All right. And then it gives me some options here for setting up virtual machines if I want and if I want, what I can do is just do a search will say Windows Server 2022. Let’s do a search on that. See what our options are. All right. And so from there, it says, OK, you’re going to do a Windows server, yep, that’s what I’m going to I’m going to do and do a Windows server, and let’s go ahead and just click on this box here. Says, OK. Which version of Windows do you want? So, I’m going to go down. We’re going to go with Windows 2022. Server every datacenter.

OK, so, we’ll go with data.

OK, we’re going to click to create. All right. We got our Azure subscription, we’re pointing to the VM Test Resource Group where we want it to be created. All right, I’m going to call this virtual machine name is going to be called Azure DC one. Guess just what? I’m going to give it a name of a course. You can name what you want. All right.

Now, keep in mind, this not my full blown up, not doing a full blown Azure lecture right now.

So some of the stuff I’m not really going to get into thoroughly right now, but like availability zones, availability zones are not going to talk deep about these right now. This going to get into having your virtual machine replicated to other data centers in the Azure Cloud so that if one data center goes down, you got a replica of your virtual machine in another data center.

So that’s going to involve the availability options availability zones. Not going to get into all that right now could have three different data centers, regions and all that that we could get into the security type. Not going to get deep into this right now, either. This whether or not you’re going to support TPM, a trusted platform module on the server, not which is going to allow things like BitLocker and for encryption, secure boot features things like that so that this involves adding additional security. Keep in mind that you know, some of the stuff does cost a little extra money.

Now, if you’re concerned about the cost, you can always go out to the do a quick Google search for the word Azure calculator, and if you do that, you can go to the Azure pricing calculator. And this a great way to kind of find out what the cost of something is. It’ll let you go through the process of simulating setting up, say, a virtual machine or some other, you know, azure related appliance or service or something like that. And then it’ll give you like a price estimate as to what the cost is.

So you can go here to this pricing calculator. You can check that out and find out what the cost of some of the resources are.

So here’s, for example, I can click on virtual machine and then I can add some of the things I want is going to try to give you an estimate like on a monthly basis, on what the cost would be.

So this definitely something that’s fun to play around with to get an idea of what the cost will be.

So, I definitely encourage you to come here and play around with the calculator and see what you can find out.

OK, so back over here, we’re going with the image we’re going with is Windows Server 2022 Datacenter Generation one. You can look at other images. We’re not going to do Azure Spot Image Spot image, though, is affordable thing you can do for testing. It’s going to essentially make it where the hardware that’s used in the datacenter will be unused base hardware.

So hardware that’s currently not being used by a bunch of other equipment, it’s a lot of times it could be slower. Hardware could be faster hardware. This the spot instance. There was a great four way for you to test things out at a very low cost. I’m not going to do spot instance. Keep in mind spot instance. They could shut your virtual machine down if the all the equipment starts getting used in the datacenter.

OK, so then I got size, this how much of the average would be per month.

OK.

So you can see right now it’s saying that with one virtual CPU 3.5 gigs of RAM, ninety one dollars ninety eight cents a month and then for four virtual CPU’s 16GB of RAM is going to cost more. You can also see all sizes if you want. It’ll give you this little size Table here, and you can get an idea of what the cost is going to be per month.

OK. All right. I’m just going to go with the default one and select that.

So that’ll be the one virtual CPU 3.5 gigs. Keep in mind, I’m not going to leave this virtual machine up, So, it’s not going to cost a lot of money. I’m just doing this for demo purposes.

So from there, at that point, I can say, OK, what do you want your username to be? I’m going to call it Azure Ad Admin, and then I’m going to put a password in that I want to use.

OK. And of course, if you’re doing this with me, you can put whatever you want there.

OK, then it’s going to talk about inbound portals. It’s going to add some rules to the firewall services on there so that it can allow allow a connection in so virtual machines are going to be tied to what’s called a virtual network. The virtual network has what’s known as a network group. In this network, group is almost like a little firewall service that’s going to monitor the incoming traffic. Also, keep in mind that in the real world, if I’m going to support Remote Desktop Protocol coming in, eventually, what you’re going to want to do is set up like a VPN because it’s a lot more secure than just allow RDP open on the server because hackers could do a port scan and determine that 389 is open and they could try to attack your server.

So, it’s better eventually for you to set up a VPN and VPN and all this. Of course, I’m not getting into VPNs right now. I just wanted to kind of throw that out. That point, you can click next and you can select how you want your hard drives to be. You can do premium solid state. I’m just going to go with standard HDD, which is cheaper. It’s not as fast as solid state, but standard.

OK, not getting into any encryption stuff right now.

OK, networking, you could set up your virtual network. It’s going to configure a little virtual network that the server is going to sit on. If I had other virtual machines, I could join them to this virtual network.

So, I’m not thoroughly getting into all this right now either.

OK, I’m going to click, review and create. All right, it’s going to bring us to the reviewing create screen, it’s going to tell me if there’s any problems, and it says the validation passed, so apparently there’s no problems.

OK, so at that point, I’m going to go ahead and tell it to create the virtual machine and this can take a few minutes.

So, I’m going to go ahead and pulls a video. And while this processing through OK, so after a few minutes, you should get a confirmation message here. As you can see, this your deployment is complete. I could click go to the resource, but if you want to know how to find it through the menu, you can click the menu button here and Portal Dot AFRICOM, go down to resource groups and then VM test here. And then I can see all the items that make up the virtual machine. As you can see, there’s a lot of different things that make up a virtual machine. You have the actual virtual machine object itself, which is this Azure DC one. You have a virtual IP address, you have this network security group, which is for packet filtering, is basically almost like a firewall kind of you’ve got a network interface adapter and you’ve got your virtual disk here. And then here is the vignette itself, the virtual network.

So what we really care about here is this Azure DC one object. I’m going to click on that. And that is going to give me the address of the virtual machine itself, here it is right here, the IP address of it, so, I’m just going to copy that. All right. And at that point, I can click Connect and it’ll let me connect already. Bastion already is what we told it to you, so, we could just tell it to download already file if we want.

OK, so, I’m going to open up this file. All right. At that point, I’m going to put in my credentials. And then I’m going to hit Enter. All right. Click here to log on, and I’m now connecting to the virtual machine through RTP.

OK, So, it’s now officially starting up, just like just like a server normally does, just like if you’ve installed to make sure on-premise, this pretty much the exact same process. But currently this just a server. A standalone server is not got Active Directory any of that installed on it.

So, we would have to install the Active Directory domain services in all that in order for that to happen.

OK, so now that I’ve got server manager up, I’m going to just close out of this right here. All right. And I’m going to go over here to local server. You guys can see that the name of the server is Azure DC one, right? You can see the IP address information here if I click on that. Go to the properties of the virtual adapter. And a point to. This computer loopback address one two seven zero zero one of an appointed the computer to itself for DNS. All right. We’re going to go now up to an server manager, we’re going to go to manage admirals and features. And install Active Directory domain services. Next. Next and next, and I’m now ready to install.

OK, so, I’m going to let that install a pulse, a video wall that’s installed now that the installation is complete, I’m just going to hit close and I’m ready to configure and promote this tour to make sure I’m just going to go here to promote, promote the server to a domain controller. All right. I was going to create a new forest I could keep in mind if we actually esTablished a connection from our on-premise network to the cloud, and you can do that using something called direct connect. You can use a VPN. There’s actually various ways you can connect your on-premise network directly into the Azure cloud. We’re not getting into that right now, but I could. If I did that, I could actually join this computer with on-premise with the on-premise domain not getting into that right now, but because right now the main thing is I want to show you how to set up a new domain or in the forest. But the cool thing about that is it is possible to connect your on-premise with the cloud, or you can go full blown into the cloud and just host all your domain controllers out in the cloud. All right.

So, I would say out of Andrew Forrest, give it a name. I’m going to call this exam lab practice Azure call. That’s the name I’m going to give it in the next. All right, So, it’s just checking get your force, functional levels, domain, functional levels. All right, DNS, I’m going to use point in myself for DNS. It’s going to be a global catalog not looking at Rothesay right now. Put it in the password that I want my directory service restore mode administrator to be. Click next.

OK, it’s going to delegate Dennis going to point to this computer for dance, so that’s fine or click next on that.

OK, then it’s going to check to make sure there’s no boss name conflict out there. It’s going to use the default name boss name, which will be a 15, no more than a 15 character name. All right.

So, I’m going to click next. All right. And that’s done, so just leave the database log folder and see this file folder in the same place next and we’re ready to go. I’m going to click next is going to check the prerequisites, make sure there’s no issues there. Once it’s done with that, we will be able to install the machine or promote the machine up to a domain controller and will officially be a domain controller. And there we go. And it’s going to take a few minutes to do that and we will pause the video and come back.

OK, so after Active Directory is set up in the domain controllers officially there and promoted, it is going to do a reboot and so you’ll get kicked off of the remote desktop session. You’ll have to connect back in and the first boot of a domain, or sometimes is a little sluggish, especially when it’s only got like three three gigs of RAM, three point five gigs, ram or so.

So you’ll notice it’s a little bit slow, but once that’s booted back up, you can see here I am in server manager and I can. I now officially have Active Directory installed. I can go right here and I can open up Active Directory users computers and we can create user accounts and stuff in our in our own little domain.

So, we’re good to go, and that is how you can set up a domain controller in the Azure Active Directory or the Azure environment.

Now, the only other thing that I would recommend that you do because I’m not going to be really messing with that domain controller anymore. Right now, I’m going to go ahead and turn that domain to off so that it’s not using my Azure credit, my subscription.

So here I am. Back on Portal Dot Outlook.com, I’m going to click a little menu button, I’m going to go to resource groups and then from there we’re going to go to the VM Test Resource Group. We’re going to locate the Azure DC one. We’re going to go out and click on that and then we’re just going to tell it to stop. All right.

So, we’re going to go ahead and tell it to stop, and that’s going to go ahead and shut it down. And it’s no longer going to be taking up processing power or any of that in the cloud, so, it will be costing us any money. All right.

So that’s the only other thing I recommend you do. And then your fishery officially ready to move on now.

24. Visualizing the purpose of a Read-Only Domain Controller (RODC)

Now, for years, Windows server domain controllers have supported a feature known as Rothesay, Rothesay is read only domain controller. And it was kind of funny because back in the 1990s when we had Windows NT Server, you had what was called a PDC a primary domain chore and you had what was called BTK backup domain controllers. And the PDC was readable and the BDCs were read only and then Microsoft. When Windows 2000 came out, they made this announcement that all domain controllers are now readable.

So, it was a pretty big deal because it meant that you could sit down at any of your domain controllers and essentially it would replicate to the other domain controllers. Not too long after that, a few years down the road, Microsoft released the concept of what is called Rod C. Rod C is read only domain controller, and the idea is that we can set up a domain controller that is not readable that is only read only. But the question is why? That’s probably what you’re wondering.

So, I want to I want to kind of explain that a little bit.

So to help you understand that I’m going to pop open another drawing here and we’re going to take a look at some different locations.

So, for example, perhaps our main location might be in New York City. All right. New York City, and then maybe maybe we’ve got to see New York and maybe we’ve also got another location. Which will say is in how about Texas, maybe Dallas, Dallas, Texas? OK, so Dallas. All right. And maybe we’ve also got another location over here in Let’s make it. Birmingham, Alabama. I’m just going to put Berm for Birmingham, Alabama.

OK? And maybe, you know, you’ve got some connections that connect these offices together, some some wider network connections that connect these offices together and. You’ve got domain controllers in each one of your locations. We’ll say in New York, we’ve got to make a draw in New York, maybe a couple domain controllers in New York. All right. And maybe a couple of domain controllers in Dallas. All right.

So that’ll represent those.

Now we’re going to say that Birmingham is a relatively new office and it’s a very small office.

OK.

So where is New York? Maybe, we’ve got like 500 employees. You know, we got different departments working there. Maybe, in Dallas. We’ve got like, I don’t know, we’ll say 300 employees, OK? But in Birmingham, it’s just a small, let’s say, like a sales office.

OK.

So this really just a sales office where we have salespeople, maybe that that meet with different customers. And perhaps maybe there’s only like, I don’t know, we’ll say 10 employees that work there, and there’s not even a full time I.T. department or full time IT staff that actually works in that Birmingham office.

OK.

So this where we get into why Rod might be beneficial.

OK, first off, you have it people that work full time in New York, I.T. people that work full time in Dallas. There is somebody there monitoring domain controllers and managing everything in those locations for us at all times.

OK, but when we get into our Birmingham office, it’s just a small office. It might even be that it’s it’s not well monitored. It’s not, you know, again, there’s no I.T. people there monitoring anything. They’re not managing everything and keeping everything safe.

So, it’s it’s a little bit more dangerous to put a full blown domain controller in that Birmingham office. But here’s the problem. Computers that are logging on in Birmingham, let’s say that these are this box here represents one of the client computers that client computer when he wants to authenticate with the domain, or currently he’s having to cross over to New York using the company’s way in connection or whatever in order to do that. And maybe users are complaining that it’s slow.

So, we could, of course, put a full blown domain controller and set it up over in the sales office in Birmingham. But at that point, you’ve got to remember something. These domain controllers are all readable. If you make a change to one of them, it’s going to replicate back and forth, right? That means that if were to put a domain controller, a full blown to make sure in Birmingham and something got corrupted because there’s not it staff there monitoring it and managing it all the time that could replicate to New York. And next thing you know, it’s in Dallas is replicated across the entire domain and it could corrupt the entire domain.

OK, so a Rothesay would be a good fit for this style of environment.

So, instead of putting a full blown DC, we’re going to put a Rod C out there.

So, we’re going to put a server. We’re going to make it a Rod C server.

OK, so won’t be a full blown DC rod sims are only re, they’re read only.

So that means that replication when it occurs, it’s going to occur this way.

OK, now the other thing that’s great about Rod C is that you can have it cache the passwords of the 10 employees that are in the office. It does not have to know everybody’s password, so there’s a security scenario there as well. If you think about it to where I’m going to allow this Rod C to cache the password of the 10 employees that work there, but but no other passwords.

So, if somehow this Rothesay server got hacked, it’s not going to know anybody’s admin passwords or any of that.

OK, now you can. You can control that through using the password object’s password caching feature that Rod has.

So, we get to control what rods he’s going to know. And again, replication will never occur out here. It’ll always have to occur in coming to Rozzie.

So, when things change, it’s going to replicate to Rozee. Rozi does not ever get to replicate anything else.

So again, if it gets corrupted or something like that, it’s not going to do any damage.

OK? We get to control all of that. All right.

So ultimately, Rod S. can act as a is a way of for you to set up a domain controller that’s read only not give anybody access to it. In fact, it doesn’t even know it doesn’t know any admin credentials.

So you may say what happens if an admin visits the Birmingham office and tries to log on anybody it tries to log on. If C does not know their password, then Rod C will do pass through authentication. It means it will sign the authentication request up to New York in this case, in New York will authenticate the user and pass it back.

So, if anybody tries to log on and it doesn’t know their password, they can still get authenticated, it’s just a little slower. Else we could manually tell Rothesay that we want it to cache a certain person’s password, but ideally you don’t really want it caching like admin passwords and things like that because of the fact that the server is not thoroughly being monitored as much as the others because there’s not an IT department or there’s not a staff working there. Then ultimately what you’re doing is you’re making it where it only knows about the 10 employees that work in the office.

OK, so guys, that is the idea of Rothesay. That is how Rothesay could benefit us. It’s not used super duper often in the real world. There are certain circumstances where it can come in handy, but you can put DNS on that as well, by the way.

So another thing that’s handy is you can have DNS set up on it and your employees can query using DNS and all that right there with Rozee as well. All right. But remember Roz’s read only, and it’s only going to be used in certain circumstances.