Deploying Active Directory
The scenario provides an example of how to deploy Active Directory in Yandex.Cloud.
To deploy the Active Directory infrastructure:
- Before you start.
- Required paid resources.
- Create a cloud network and subnets.
- Create a script to manage a local administrator account.
- Create a VM for Active Directory.
- Create a VM for a bastion host.
- Install and configure Active Directory.
- Configure the second domain controller.
- Test Active Directory.
- Delete the created resources.
Before you start
Before deploying servers, you need to sign up for Yandex.Cloud and create a billing account:
- Go to the management console. Then log in to Yandex.Cloud or sign up if don't already have an account.
- On the billing page, make sure you linked a billing account, and it has the
ACTIVE
orTRIAL_ACTIVE
status. If you don't have a billing account, create one.
If you have an active billing account, you can create or select a folder to run your VM in from the Yandex.Cloud page.
Learn more about clouds and folders.
Required paid resources
The cost of an Active Directory installation includes:
- A fee for continuously running VMs (see pricingYandex Compute Cloud).
- A fee for using dynamic or static public IP addresses (see pricingYandex Virtual Private Cloud).
- The cost of outgoing traffic from Yandex.Cloud to the internet (see Yandex Compute Cloud pricing).
Create a cloud network and subnets
Create a cloud network named ad-network
with subnets in all the availability zones where your VMs will be located.
-
Create a cloud network:
Management consoleCLITo create a cloud network:
- Open the Virtual Private Cloud section in the folder where you want to create the cloud network.
- Click Create network.
- Enter the network name
ad-network
. - Click Create network.
To create a cloud network, run the command:
$ yc vpc network create --name ad-network
-
Create three
ad-network
subnets:Management consoleCLITo create a subnet:
- Open the Virtual Private Cloud section in the folder where you want to create the subnet.
- Click on the name of the cloud network.
- Click Add subnet.
- Fill out the form: set the subnet name to
ad-subnet-a
and select theru-central1-a
availability zone from the drop-down list. - Enter the subnet CIDR, which is its IP address and mask:
10.1.0.0/16
. For more information about subnet IP ranges, see Cloud networks and subnets. - Click Create subnet.
Repeat these steps for two more subnets,
ad-subnet-b
andad-subnet-c
, in theru-central1-b
andru-central1-c
availability zones with the10.2.0.0/16
and10.3.0.0/16
CIDR, respectively.To create subnets, run the following commands:
yc vpc subnet create \ --name ad-subnet-a \ --zone ru-central1-a \ --network-name ad-network \ --range 10.1.0.0/16 yc vpc subnet create \ --name ad-subnet-b \ --zone ru-central1-b \ --network-name ad-network \ --range 10.2.0.0/16 yc vpc subnet create \ --name ad-subnet-c \ --zone ru-central1-c \ --network-name ad-network \ --range 10.3.0.0/16
Create a script to manage a local administrator account
Create a file named setpass
with a script that sets a password for the local administrator account when creating VMs via the CLI:
#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)
The password must meet the complexity requirements.
Read more about the best practices for securing Active Directory on the official website.
Create a VM for Active Directory
Create two VMs for Active Directory domain controllers. These VMs don't have internet access.
-
On the folder page in the management console, click Create resource and select Virtual machine.
-
In the Name field, enter the VM name
ad-vm-a
. -
Select the availability zone
ru-central1-a
. -
Under Images from Cloud Marketplace, click Select. In the window that opens, select the 2016 Datacenter image.
-
Under Disks, enter 35 GB for the size of the boot disk.
-
Under Computing resources:
- Choose a platform: Intel Cascade Lake.
- Specify the number of vCPUs and amount of RAM:
- vCPU: 4.
- Guaranteed vCPU share: 100%.
- RAM: 8 GB.
-
Under Network settings, click Add network and select
exchange-network
. Selectexchange-subnet-a
. Under Public address, select No address. -
Under Access, specify the data required to access the VM:
- In the Password field, enter your password.
-
Click Create VM.
Repeat this operation for the VM ad-vm-b
in the ru-central1-a
availability zone and connect it to the subnet exchange-subnet-b
$ yc compute instance create \
--name ad-vm-a \
--hostname ad-vm-a \
--memory 8 \
--cores 4 \
--zone ru-central1-a \
--network-interface subnet-name=exchange-subnet-a,ipv4-address=10.1.0.3 \
--create-boot-disk image-folder-id=standard-images,image-family=windows-2016-gvlk \
--metadata-from-file user-data=setpass
$ yc compute instance create \
--name ad-vm-b \
--hostname ad-vm-b \
--memory 8 \
--cores 4 \
--zone ru-central1-b \
--network-interface subnet-name=exchange-subnet-b,ipv4-address=10.2.0.3 \
--create-boot-disk image-folder-id=standard-images,image-family=windows-2016-gvlk \
--metadata-from-file user-data=setpass
Create a VM for a bastion host
A file server with internet access is used to configure VMs with Active Directory.
-
On the folder page in the management console, click Create resource and select Virtual machine.
-
In the Name field, enter the VM name
jump-server-vm
. -
Select the availability zone
ru-central1-c
. -
Under Images from Cloud Marketplace, click Select. In the window that opens, select the 2016 Datacenter image.
-
Under Disks, enter 35 GB for the size of the boot disk.
-
Under Computing resources:
- Choose a platform: Intel Cascade Lake.
- Specify the number of vCPUs and amount of RAM:
- vCPU: 2.
- Guaranteed vCPU share: 100%.
- RAM: 4 GB.
-
Under Network settings, click Add network and select
exchange-network
. Selectexchange-subnet-c
. Under Public address, select No address. -
Under Access, specify the data required to access the VM:
- In the Password field, enter your password.
-
Click Create VM.
$ yc compute instance create \
--name jump-server-vm \
--hostname jump-server-vm \
--memory 4 \
--cores 2 \
--zone ru-central1-c \
--network-interface subnet-name=exchange-subnet-c,nat-ip-version=ipv4 \
--create-boot-disk image-folder-id=standard-images,image-family=windows-2016-gvlk \
--metadata-from-file user-data=setpass
Install and configure Active Directory
VMs with Active Directory don't have internet access, so they should be configured from the jump-server-vm
VM using RDP.
-
Connect to
jump-server-vm
using RDP. EnterAdministrator
as the username and then your password. -
Start the RDP client and connect to
ad-vm-a
. -
Run the PowerShell and set a static address:
netsh interface ip set address "Ethernet 2" static 10.1.0.3 255.255.255.0 10.1.0.1
-
Create a temporary folder:
mkdir C:\Windows\temp
-
Assign Active Directory roles:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Active Directory Domain Services, Group P...
-
Create an Active Directory forest:
Install-ADDSForest -DomainName 'yantoso.net' -Force:$true
Windows restarts automatically. Relaunch PowerShell.
-
Rename the default site to
ru-central1-a
:Get-ADReplicationSite 'Default-First-Site-Name' | Rename-ADObject -NewName 'ru-central1-a'
-
Create two more sites for the other availability zones:
New-ADReplicationSite 'ru-central1-b' New-ADReplicationSite 'ru-central1-c'
-
Create subnets and link them to the sites:
New-ADReplicationSubnet -Name '10.1.0.0/16' -Site 'ru-central1-a' New-ADReplicationSubnet -Name '10.2.0.0/16' -Site 'ru-central1-b' New-ADReplicationSubnet -Name '10.3.0.0/16' -Site 'ru-central1-c'
-
Rename the site link and configure replication:
Get-ADReplicationSiteLink 'DEFAULTIPSITELINK' | ` Set-ADReplicationSiteLink -SitesIncluded @{Add='ru-central1-b'} -ReplicationFrequencyInMinutes 15 -PassThru | ` Set-ADObject -Replace @{options = $($_.options -bor 1)} -PassThru | ` Rename-ADObject -NewName 'ru-central1'
-
Set the DNS redirect server:
Set-DnsServerForwarder '10.1.0.2'
-
Configure the DNS client:
Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.2.0.3,127.0.0.1"
Configure the second domain controller
-
Connect to
jump-server-vm
using RDP. -
Connect to
ad-vm-b
using RDP. SpecifyAdministrator
as the username and enter your password. -
Create a temporary folder:
mkdir C:\Windows\temp
-
Assign Active Directory roles:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Active Directory Domain Services, Group P...
-
Configure the DNS client:
Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.1.0.3,127.0.0.1"
-
Configure a static IP address:
netsh interface ip set address "Ethernet 2" static 10.2.0.3 255.255.255.0 10.2.0.1
-
Add the controller to the domain:
Install-ADDSDomainController ` -Credential (Get-Credential "yantoso\Administrator") ` -DomainName 'yantoso.net' ` -Force:$true
Windows restarts automatically. Relaunch PowerShell.
-
Set the DNS redirect server:
Set-DnsServerForwarder '10.2.0.2'
Test Active Directory
-
Connect to
jump-server-vm
using RDP. -
Connect to
ad-vm-b
using RDP. SpecifyAdministrator
as the username and enter your password. Launch PowerShell. -
Create a test user:
New-ADUser testUser
-
Make sure the user is present on both servers:
Get-ADUser testUser -Server yadc-b Get-ADUser testUser -Server yadc-a
Delete the created resources
To stop paying for deployed servers, delete all the VMs you created.