Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Practical guidelines
  • Web service
    • All tutorials
    • Static website in Object Storage
    • Website on LAMP or LEMP stack
    • Fault-tolerant website with load balancing by Network Load Balancer
    • Fault-tolerant website using DNS load balancing
    • Joomla website with PostgreSQL
    • WordPress website
    • WordPress website on a MySQL database
    • Transferring a WordPress website from a different hosting provider to Yandex Cloud
    • 1C-Bitrix website
    • Integrating an L7 load balancer with the Cloud CDN and Object Storage
    • Blue-green and canary deployment of service versions
  • Online stores
    • All tutorials
    • 1C-Bitrix online store
    • Opencart online store
  • Data archive
    • All tutorials
    • Single-node file server
    • Configuring an SFTP server on Centos 7
    • Backup to Object Storage via Acronis Backup
    • Backup to Object Storage via CloudBerry Desktop Backup
    • Backup to Object Storage via Duplicati
    • Backup to Object Storage via Bacula
    • Backup to Object Storage via Veritas Backup Exec
    • Digitizing archives in Yandex Vision
  • Test environment
    • All tutorials
    • Testing applications with GitLab
    • Creating test VMs using GitLab CI
    • High-performance computing on preemptible VMs
    • Emulating multiple IoT devices
    • gRPC service load testing
    • Using Phantom to run a fixed-load HTTPS test
    • Using Pandora to run a step-load HTTPS test
  • Performing infrastructure management
    • All tutorials
    • Getting started with Terraform
    • Uploading Terraform states to Object Storage
    • Getting started with Packer
    • Automating VM image builds using Jenkins
    • Continuous deployment of containerized applications using GitLab
    • Creating a cluster of 1C:Enterprise Linux servers with a Managed Service for PostgreSQL cluster
    • Creating a cluster of 1C:Enterprise Windows servers with SQL Server
    • Migrating to Yandex Cloud using Hystax Acura
    • Emergency recovery in Yandex Cloud using Hystax Acura
    • Configuring a fault-tolerant architecture in Yandex Cloud
  • Building a data platform
    • All tutorials
    • Syncing MySQL data using Yandex Data Transfer
    • Using schema registries with Yandex Managed Service for Apache Kafka®
      • Overview
      • Using Managed Schema Registry with Yandex Managed Service for Apache Kafka®
      • Using Confluent Schema Registry with Yandex Managed Service for Apache Kafka®
    • Delivering data using Debezium
    • Migrating databases from Yandex Managed Service for MySQL to MySQL
    • Migrating databases to Yandex Managed Service for SQL Server
    • Transferring data from PostgreSQL to ClickHouse using Yandex Data Transfer
    • Configuring Yandex Cloud DNS for accessing managed database clusters from other cloud networks
    • Configuring Kafka Connect for Yandex Managed Service for Apache Kafka® clusters
  • Windows in Yandex Cloud
    • All tutorials
    • Deploying Active Directory
    • Deploying Microsoft Exchange
    • Deploying Remote Desktop Services
    • Deploying an Always On availability group
    • Deploying an Always On availability group with an internal network load balancer
    • Deploying Remote Desktop Gateway
  • Network routing
    • All tutorials
    • Routing through a NAT instance
    • Creating a VPN tunnel
    • Installing a Cisco CSR1000v virtual router
    • Installing a Mikrotik CHR virtual router
    • Creating a VPN connection using OpenVPN
  • Data visualization and analytics
    • All tutorials
    • Visualizing data from a CSV file
    • Creating and publishing a chart with a map of Moscow from a CSV file
    • Analyzing a store chain's sales based on data from a ClickHouse DB
    • Analyzing open data on road accidents in Russia
    • Analyzing sales and locations of pizzerias based on data from ClickHouse DB and Marketplace
    • Web analytics with a connection to Yandex.Metrica
    • Web analytics with funnels and cohorts calculated based on Yandex.Metrica data
    • Mobile app analytics based on AppMetrica data
    • Analyzing Yandex Music podcast statistics (for podcasters)
    • Visualizing data with a SQL chart
    • Mobile app customer journey analytics based on AppMetrica data
    • Analyzing Object Storage logs in DataLens
  • Internet of things
    • Tutorials for the internet of things
    • Status monitoring of geographically distributed devices
    • Monitoring sensor readings and event notifications
  • Serverless technologies
    • URL shortener
    • Entering data into storage systems
    • Storing application runtime logs
  1. Windows in Yandex Cloud
  2. Deploying Active Directory

Deploying Active Directory

Written by
Yandex Cloud
  • Before you start
    • Required paid resources
  • Create a cloud network and subnets
  • Create a script to manage a local administrator account
  • Create a VM for Active Directory
  • Create a VM for a bastion host
  • Install and configure Active Directory
  • Configure the second domain controller
  • Test Active Directory
  • How to delete created resources

The scenario provides an example of how to deploy Active Directory in Yandex Cloud.

To deploy the Active Directory infrastructure:

  1. Before you start.
  2. Create a cloud network and subnets.
  3. Create a script to manage a local administrator account.
  4. Create a VM for Active Directory.
  5. Create a VM for a bastion host.
  6. Install and configure Active Directory.
  7. Configure the second domain controller.
  8. Test Active Directory.

If you no longer need the infrastructure, delete all the resources it uses.

Before you start

Before working, you need to register in Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

Required paid resources

The cost of an Active Directory installation includes:

  • A fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
  • A fee for using dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
  • The cost of outgoing traffic from Yandex Cloud to the internet (see Yandex Compute Cloud pricing).

Create a cloud network and subnets

Create a cloud network named ad-network with subnets in all the availability zones where your VMs will be located.

  1. Create a cloud network:

    Management console
    CLI

    To create a cloud network:

    1. Open the Virtual Private Cloud section in the folder where you want to create the cloud network.
    2. Click Create network.
    3. Enter the network name ad-network.
    4. Click Create network.

    If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    To create a cloud network, run the command:

    yc vpc network create --name ad-network
    
  2. Create three ad-network subnets:

    Management console
    CLI

    To create a subnet:

    1. Open the Virtual Private Cloud section in the folder where you want to create the subnet.
    2. Click on the name of the cloud network.
    3. Click Add subnet.
    4. Fill out the form: set the subnet name to ad-subnet-a and select the ru-central1-a availability zone from the drop-down list.
    5. Enter the subnet CIDR, which is its IP address and mask: 10.1.0.0/16. For more information about subnet IP address ranges, see Cloud networks and subnets.
    6. Click Create subnet.

    Repeat the steps for two more subnets:

    • Name: ad-subnet-b. Availability zone: ru-central1-b. CIDR: 10.2.0.0/16.
    • Name: ad-subnet-c. Availability zone: ru-central1-c. CIDR: 10.3.0.0/16.

    To create subnets, run the following commands:

    yc vpc subnet create \
      --name ad-subnet-a \
      --zone ru-central1-a \
      --network-name ad-network \
      --range 10.1.0.0/16
    
    yc vpc subnet create \
      --name ad-subnet-b \
      --zone ru-central1-b \
      --network-name ad-network \
      --range 10.2.0.0/16
    
    yc vpc subnet create \
      --name ad-subnet-c \
      --zone ru-central1-c \
      --network-name ad-network \
      --range 10.3.0.0/16
    

Create a script to manage a local administrator account

When creating a virtual machine via the CLI, you need to set a password for a local administrator account.

To do this, in the root folder of the command line, create a file named setpass without an extension. Copy the script to the file and set your password:

#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)

The password must meet the complexity requirements.

Read more about the best practices for securing Active Directory on the official website.

Create a VM for Active Directory

Create two VMs for Active Directory domain controllers. These VMs don't have internet access.

Management console
CLI
  1. On the folder page in the management console, click Create resource and select Virtual machine.

  2. In the Name field, enter the VM name ad-vm-a.

  3. Select the availability zone: ru-central1-a.

  4. Under Image/boot disk selection → Cloud Marketplace click Show more. In the window that opens, select the Windows Server 2019 Datacenter image and click Use.

  5. Under Disks, enter 50 GB for the size of the boot disk:

  6. Under Computing resources:

    • Select the platform: Intel Ice Lake.
    • Specify the number of vCPUs and amount of RAM:
      • vCPU — 4.
      • Guaranteed vCPU share: 100%
      • RAM: 8 GB.
  7. Under Network settings:

    • Select the ad-subnet-a subnet.
    • Public address: No address.
    • Internal address: Select Manual and specify 10.1.0.3.
  8. Under Access, in the Password field, enter your password.

  9. Click Create VM.

Repeat this operation for the VM ad-vm-b in the ru-central1-b availability zone, connect it to the ad-subnet-b subnet, and manually specify the internal address 10.2.0.3.

yc compute instance create \
  --name ad-vm-a \
  --hostname ad-vm-a \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-a \
  --network-interface subnet-name=ad-subnet-a,ipv4-address=10.1.0.3 \
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk \
  --metadata-from-file user-data=setpass

yc compute instance create \
  --name ad-vm-b \
  --hostname ad-vm-b \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-b \
  --network-interface subnet-name=ad-subnet-b,ipv4-address=10.2.0.3 \
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk \
  --metadata-from-file user-data=setpass

Create a VM for a bastion host

A file server with internet access is used to configure VMs with Active Directory.

Management console
CLI
  1. On the folder page in the management console, click Create resource and select Virtual machine.

  2. In the Name field, enter the VM name jump-server-vm.

  3. Select the ru-central1-c availability zone

  4. Under Image/boot disk selection → Cloud Marketplace click Show more. In the window that opens, select the Windows Server 2019 Datacenter image and click Use.

  5. Under Disks, enter 50 GB for the size of the boot disk:

  6. Under Computing resources:

    • Select the platform: Intel Ice Lake.
    • Specify the number of vCPUs and amount of RAM:
      • vCPU — 2.
      • Guaranteed vCPU share: 100%
      • RAM: 4 GB.
  7. Under Network settings, select the ad-subnet-c subnet. Under Public address, select Automatically.

  8. Under Access, in the Password field, enter your password.

  9. Click Create VM.

yc compute instance create \
  --name jump-server-vm \
  --hostname jump-server-vm \
  --memory 4 \
  --cores 2 \
  --zone ru-central1-c \
  --network-interface subnet-name=ad-subnet-c,nat-ip-version=ipv4 \
  --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk \
  --metadata-from-file user-data=setpass

Install and configure Active Directory

VMs with Active Directory don't have internet access, so they should be configured from the jump-server-vm VM using RDP.

  1. Connect to jump-server-vm using RDP. Enter Administrator as the username and then your password.

  2. Launch RDP and connect to ad-vm-a, using its local IP address, Administrator username and your password.

  3. Run PowerShell and set a static address:

    netsh interface ip set address "eth0" static 10.1.0.3 255.255.255.0 10.1.0.1
    
  4. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    

    Output:

    Success Restart Needed Exit Code      Feature Result
    ------- -------------- ---------      --------------
    True    No             Success        {Active Directory Domain Services, Group P...
    
  5. Create an Active Directory forest:

    Install-ADDSForest -DomainName 'yantoso.net' -Force:$true
    

    Then enter the password and confirm it.

    Windows restarts automatically. Reconnect to ad-vm-a and launch PowerShell.

  6. Rename the default site ru-central1-a:

    Get-ADReplicationSite 'Default-First-Site-Name' | Rename-ADObject -NewName 'ru-central1-a'
    
  7. Create two more sites for the other availability zones:

    New-ADReplicationSite 'ru-central1-b'
    New-ADReplicationSite 'ru-central1-c'
    
  8. Create subnets and link them to the sites:

    New-ADReplicationSubnet -Name '10.1.0.0/16' -Site 'ru-central1-a'
    New-ADReplicationSubnet -Name '10.2.0.0/16' -Site 'ru-central1-b'
    New-ADReplicationSubnet -Name '10.3.0.0/16' -Site 'ru-central1-c'
    
  9. Rename the site link and configure replication:

    Get-ADReplicationSiteLink 'DEFAULTIPSITELINK' | `
        Set-ADReplicationSiteLink -SitesIncluded @{Add='ru-central1-b'} -ReplicationFrequencyInMinutes 15 -PassThru | `
        Set-ADObject -Replace @{options = $($_.options -bor 1)} -PassThru | `
        Rename-ADObject -NewName 'ru-central1'
    
  10. Set the DNS redirect server:

    Set-DnsServerForwarder '10.1.0.2'
    
  11. Configure the DNS client:

    Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.2.0.3,127.0.0.1"
    

Configure the second domain controller

  1. Connect to jump-server-vm using RDP.

  2. Using RDP, connect to ad-vm-b, using its local IP address, the Administrator username and your password.

  3. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    

    Output:

    Success Restart Needed Exit Code      Feature Result
    ------- -------------- ---------      --------------
    True    No             NoChangeNeeded {}
    
  4. Configure the DNS client:

    Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses "10.1.0.3,127.0.0.1"
    
  5. Configure a static IP address:

    netsh interface ip set address "eth0" static 10.2.0.3 255.255.255.0 10.2.0.1
    
  6. Add the controller to the domain:

    Install-ADDSDomainController `
        -Credential (Get-Credential "yantoso\Administrator") `
        -DomainName 'yantoso.net' `
        -Force:$true
    

    Then enter the password and confirm it.

    Windows restarts automatically. Reconnect to ad-vm-a and launch PowerShell.

  7. Set the DNS redirect server:

    Set-DnsServerForwarder '10.2.0.2'
    

Test Active Directory

  1. Connect to jump-server-vm using RDP.

  2. Using RDP, connect to ad-vm-b, using its local IP address, the Administrator username and your password. Launch PowerShell.

  3. Create a test user:

    New-ADUser testUser
    
  4. Make sure the user is present on both servers:

    Get-ADUser testUser -Server 10.1.0.3
    Get-ADUser testUser -Server 10.2.0.3
    

    Output:

    DistinguishedName : CN=testUser,CN=Users,DC=yantoso,DC=net
    Enabled           : False
    GivenName         :
    Name              : testUser
    ObjectClass       : user
    ObjectGUID        : 7202f41a-(...)-2d168ecd5271
    SamAccountName    : testUser
    SID               : S-1-5-21-(...)-1105
    Surname           :
    UserPrincipalName :
    
    DistinguishedName : CN=testUser,CN=Users,DC=yantoso,DC=net
    Enabled           : False
    GivenName         :
    Name              : testUser
    ObjectClass       : user
    ObjectGUID        : 7202f41a-(...)-2d168ecd5271
    SamAccountName    : testUser
    SID               : S-1-5-21-(...)-1105
    Surname           :
    UserPrincipalName :
    

How to delete created resources

To stop paying for deployed servers, delete all the VMs.

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Before you start
  • Required paid resources
  • Create a cloud network and subnets
  • Create a script to manage a local administrator account
  • Create a VM for Active Directory
  • Create a VM for a bastion host
  • Install and configure Active Directory
  • Configure the second domain controller
  • Test Active Directory
  • How to delete created resources