Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Use cases
  • Web service
    • All use cases
    • Static website in Object Storage
    • Website on LAMP or LEMP stack
    • Fault-tolerant website with load balancing from Yandex Network Load Balancer
    • Fault-tolerant website using DNS load balancing
    • Joomla-based website with PostgreSQL
    • WordPress website
    • WordPress website on a MySQL database
    • 1C-Bitrix website
  • Online stores
    • All use cases
    • 1C-Bitrix online store
    • Opencart online store
  • Data archive
    • All use cases
    • Single-node file server
    • Configuring an SFTP server on Centos 7
    • Backup to Object Storage via Acronis Backup
    • Backup to Object Storage via CloudBerry Desktop Backup
    • Backup to Object Storage via Duplicati
    • Backup to Object Storage via Bacula
    • Digitizing archives in Yandex Vision
  • Test environment
    • All use cases
    • Testing applications with GitLab
    • Creating test VMs using GitLab CI
    • High-performance computing on preemptible VMs
  • Infrastructure management
    • All use cases
    • Getting started with Terraform
    • Uploading Terraform states to Object Storage
    • Getting started with Packer
    • VM images building automation using Jenkins
    • Continuous deployment of containerized applications using GitLab
    • Creating a cluster of 1C:Enterprise Linux servers with a Managed Service for PostgreSQL cluster
    • Creating a cluster of 1C:Enterprise Windows servers with MS SQL Server
    • Migrating to Yandex.Cloud using Hystax Acura
    • Emergency recovery in Yandex.Cloud using Hystax Acura
    • Configuring a fault-tolerant architecture in Yandex.Cloud
  • Windows in Yandex.Cloud
    • All use cases
    • Deploying Active Directory
    • Deploying Microsoft Exchange
    • Deploying Remote Desktop Services
    • Deploying an Always On availability group
    • Deploying an Always On availability group with an internal network load balancer
  • Network routing
    • All use cases
    • Routing through a NAT instance
    • Creating a VPN tunnel
    • Installing a Cisco CSR1000v virtual router
    • Installing a Mikrotik CHR virtual router
    • Creating a VPN connection using OpenVPN
  • Data visualization and analytics
    • All use cases
    • Visualizing data from a CSV file
    • Visualizing data from a ClickHouse database
    • Visualizing data from Yandex.Metrica
    • Visualizing data from Yandex.Metrica Logs API
    • Publishing a chart with a map from a CSV file to DataLens Public
    • Visualizing data from AppMetrica
    • Visualizing geodata from a CSV file
  • Internet of things
    • Use cases for the internet of things
    • Status monitoring of geographically distributed devices
    • Monitoring sensor readings and event notifications
  1. Windows in Yandex.Cloud
  2. Deploying Active Directory

Deploying Active Directory

  • Before you start
    • Required paid resources
  • Create a cloud network and subnets
  • Create a script to manage a local administrator account
  • Create a VM for Active Directory
  • Create a VM for a bastion host
  • Install and configure Active Directory
  • Configure the second domain controller
  • Test Active Directory
  • Delete the created resources

The scenario provides an example of how to deploy Active Directory in Yandex.Cloud.

To deploy the Active Directory infrastructure:

  1. Before you start.
  2. Required paid resources.
  3. Create a cloud network and subnets.
  4. Create a script to manage a local administrator account.
  5. Create a VM for Active Directory.
  6. Create a VM for a bastion host.
  7. Install and configure Active Directory.
  8. Configure the second domain controller.
  9. Test Active Directory.
  10. Delete the created resources.

Before you start

Before deploying servers, you need to sign up for Yandex.Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex.Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex.Cloud page.

Learn more about clouds and folders.

Required paid resources

The cost of an Active Directory installation includes:

  • A fee for continuously running VMs (see pricingYandex Compute Cloud).
  • A fee for using dynamic or static public IP addresses (see pricingYandex Virtual Private Cloud).
  • The cost of outgoing traffic from Yandex.Cloud to the internet (see Yandex Compute Cloud pricing).

Create a cloud network and subnets

Create a cloud network named ad-network with subnets in all the availability zones where your VMs will be located.

  1. Create a cloud network:

    Management console
    CLI

    To create a cloud network:

    1. Open the Virtual Private Cloud section in the folder where you want to create the cloud network.
    2. Click Create network.
    3. Enter the network name ad-network.
    4. Click Create network.

    To create a cloud network, run the command:

    $ yc vpc network create --name ad-network
    
  2. Create three ad-network subnets:

    Management console
    CLI

    To create a subnet:

    1. Open the Virtual Private Cloud section in the folder where you want to create the subnet.
    2. Click on the name of the cloud network.
    3. Click Add subnet.
    4. Fill out the form: set the subnet name to ad-subnet-a and select the ru-central1-a availability zone from the drop-down list.
    5. Enter the subnet CIDR, which is its IP address and mask: 10.1.0.0/16. For more information about subnet IP ranges, see Cloud networks and subnets.
    6. Click Create subnet.

    Repeat these steps for two more subnets, ad-subnet-b and ad-subnet-c, in the ru-central1-b and ru-central1-c availability zones with the 10.2.0.0/16 and 10.3.0.0/16 CIDR, respectively.

    To create subnets, run the following commands:

    yc vpc subnet create \
      --name ad-subnet-a \
      --zone ru-central1-a \
      --network-name ad-network \
      --range 10.1.0.0/16
    
    yc vpc subnet create \
      --name ad-subnet-b \
      --zone ru-central1-b \
      --network-name ad-network \
      --range 10.2.0.0/16
    
    yc vpc subnet create \
      --name ad-subnet-c \
      --zone ru-central1-c \
      --network-name ad-network \
      --range 10.3.0.0/16
    

Create a script to manage a local administrator account

Create a file named setpass with a script that sets a password for the local administrator account when creating VMs via the CLI:

#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)

The password must meet the complexity requirements.

Read more about the best practices for securing Active Directory on the official website.

Create a VM for Active Directory

Create two VMs for Active Directory domain controllers. These VMs don't have internet access.

Management console
CLI
  1. On the folder page in the management console, click Create resource and select Virtual machine.

  2. In the Name field, enter the VM name ad-vm-a.

  3. Select the availability zone ru-central1-a.

  4. Under Images from Cloud Marketplace, click Select. In the window that opens, select the 2016 Datacenter image.

  5. Under Disks, enter 35 GB for the size of the boot disk.

  6. Under Computing resources:

    • Choose a platform: Intel Cascade Lake.
    • Specify the number of vCPUs and amount of RAM:
      • vCPU: 4.
      • Guaranteed vCPU share: 100%.
      • RAM: 8 GB.
  7. Under Network settings, click Add network and select exchange-network. Select exchange-subnet-a. Under Public address, select No address.

  8. Under Access, specify the data required to access the VM:

    • In the Password field, enter your password.
  9. Click Create VM.

Repeat this operation for the VM ad-vm-b in the ru-central1-a availability zone and connect it to the subnet exchange-subnet-b

$ yc compute instance create \
    --name ad-vm-a \
    --hostname ad-vm-a \
    --memory 8 \
    --cores 4 \
    --zone ru-central1-a \
    --network-interface subnet-name=exchange-subnet-a,ipv4-address=10.1.0.3 \
    --create-boot-disk image-folder-id=standard-images,image-family=windows-2016-gvlk \
    --metadata-from-file user-data=setpass

$ yc compute instance create \
    --name ad-vm-b \
    --hostname ad-vm-b \
    --memory 8 \
    --cores 4 \
    --zone ru-central1-b \
    --network-interface subnet-name=exchange-subnet-b,ipv4-address=10.2.0.3 \
    --create-boot-disk image-folder-id=standard-images,image-family=windows-2016-gvlk \
    --metadata-from-file user-data=setpass

Create a VM for a bastion host

A file server with internet access is used to configure VMs with Active Directory.

Management console
CLI
  1. On the folder page in the management console, click Create resource and select Virtual machine.

  2. In the Name field, enter the VM name jump-server-vm.

  3. Select the availability zone ru-central1-c.

  4. Under Images from Cloud Marketplace, click Select. In the window that opens, select the 2016 Datacenter image.

  5. Under Disks, enter 35 GB for the size of the boot disk.

  6. Under Computing resources:

    • Choose a platform: Intel Cascade Lake.
    • Specify the number of vCPUs and amount of RAM:
      • vCPU: 2.
      • Guaranteed vCPU share: 100%.
      • RAM: 4 GB.
  7. Under Network settings, click Add network and select exchange-network. Select exchange-subnet-c. Under Public address, select No address.

  8. Under Access, specify the data required to access the VM:

    • In the Password field, enter your password.
  9. Click Create VM.

$ yc compute instance create \
    --name jump-server-vm \
    --hostname jump-server-vm \
    --memory 4 \
    --cores 2 \
    --zone ru-central1-c \
    --network-interface subnet-name=exchange-subnet-c,nat-ip-version=ipv4 \
    --create-boot-disk image-folder-id=standard-images,image-family=windows-2016-gvlk \
    --metadata-from-file user-data=setpass

Install and configure Active Directory

VMs with Active Directory don't have internet access, so they should be configured from the jump-server-vm VM using RDP.

  1. Connect to jump-server-vm using RDP. Enter Administrator as the username and then your password.

  2. Start the RDP client and connect to ad-vm-a.

  3. Run the PowerShell and set a static address:

    netsh interface ip set address "Ethernet 2" static 10.1.0.3 255.255.255.0 10.1.0.1
    
  4. Create a temporary folder:

    mkdir C:\Windows\temp
    
  5. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    
    Success Restart Needed Exit Code      Feature Result
    ------- -------------- ---------      --------------
    True    No             Success        {Active Directory Domain Services, Group P...
    
  6. Create an Active Directory forest:

    Install-ADDSForest -DomainName 'yantoso.net' -Force:$true
    

    Windows restarts automatically. Relaunch PowerShell.

  7. Rename the default site to ru-central1-a:

    Get-ADReplicationSite 'Default-First-Site-Name' | Rename-ADObject -NewName 'ru-central1-a'
    
  8. Create two more sites for the other availability zones:

    New-ADReplicationSite 'ru-central1-b'
    New-ADReplicationSite 'ru-central1-c'
    
  9. Create subnets and link them to the sites:

    New-ADReplicationSubnet -Name '10.1.0.0/16' -Site 'ru-central1-a'
    New-ADReplicationSubnet -Name '10.2.0.0/16' -Site 'ru-central1-b'
    New-ADReplicationSubnet -Name '10.3.0.0/16' -Site 'ru-central1-c'
    
  10. Rename the site link and configure replication:

    Get-ADReplicationSiteLink 'DEFAULTIPSITELINK' | `
        Set-ADReplicationSiteLink -SitesIncluded @{Add='ru-central1-b'} -ReplicationFrequencyInMinutes 15 -PassThru | `
        Set-ADObject -Replace @{options = $($_.options -bor 1)} -PassThru | `
        Rename-ADObject -NewName 'ru-central1'
    
  11. Set the DNS redirect server:

    Set-DnsServerForwarder '10.1.0.2'
    
  12. Configure the DNS client:

    Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.2.0.3,127.0.0.1"
    

Configure the second domain controller

  1. Connect to jump-server-vm using RDP.

  2. Connect to ad-vm-b using RDP. Specify Administrator as the username and enter your password.

  3. Create a temporary folder:

    mkdir C:\Windows\temp
    
  4. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    
    Success Restart Needed Exit Code      Feature Result
    ------- -------------- ---------      --------------
    True    No             Success        {Active Directory Domain Services, Group P...
    
  5. Configure the DNS client:

    Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.1.0.3,127.0.0.1"
    
  6. Configure a static IP address:

    netsh interface ip set address "Ethernet 2" static 10.2.0.3 255.255.255.0 10.2.0.1
    
  7. Add the controller to the domain:

    Install-ADDSDomainController `
        -Credential (Get-Credential "yantoso\Administrator") `
        -DomainName 'yantoso.net' `
        -Force:$true
    

    Windows restarts automatically. Relaunch PowerShell.

  8. Set the DNS redirect server:

    Set-DnsServerForwarder '10.2.0.2'
    

Test Active Directory

  1. Connect to jump-server-vm using RDP.

  2. Connect to ad-vm-b using RDP. Specify Administrator as the username and enter your password. Launch PowerShell.

  3. Create a test user:

    New-ADUser testUser
    
  4. Make sure the user is present on both servers:

    Get-ADUser testUser -Server yadc-b
    Get-ADUser testUser -Server yadc-a
    

Delete the created resources

To stop paying for deployed servers, delete all the VMs you created.

In this article:
  • Before you start
  • Required paid resources
  • Create a cloud network and subnets
  • Create a script to manage a local administrator account
  • Create a VM for Active Directory
  • Create a VM for a bastion host
  • Install and configure Active Directory
  • Configure the second domain controller
  • Test Active Directory
  • Delete the created resources
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC