Building a Highly Available Active Directory Infrastructure in Azure Virtual Machines with Static Internal IP Addresses.

HI thanks for visiting and firstly apologies for the long title !

image

This post will show how to set up a two highly available domain controllers in Azure.   In order to make them highly available the machines within a cloud service (group of machines, usually each tier of an application) need to be put into an availability set.

Why Bother with Static IP Addresses in Azure at all ?

Microsoft now recommend that Domain Controllers have static IP Addresses and static IP addresses are also useful for other critical servers you may have in your environment.   Azure by default assigns IP Addresses using DHCP from a range of IP addresses you supply.  I always create my networks with a subnet for each machine and so I have some control over which IP addresses each machine received.  Once a machine is in a subnet it will receive the first available IP addresses in that subnet.   Although Microsoft provides no guarantees and they could change this algorithm.   So what happens if I have multiple machines within the same subnet and shut them all down (and de-allocate) and restart them in a different order ? They can and most probably WILL receive different IP addresses which can cause problems with your services.   So this is the main reason why having static IP addresses is a real bonus for us.

How do you create a virtual machine with a static IP Address in Azure and what are the requirements ?

Currently the only way you can create a virtual machine in Azure with a static IP address is via PowerShell and the only supported network type must be a regional network.  This means the network was assigned to a region such as “North Europe” rather than an affinity group.   Microsoft say they will allow this in the future.

What if I want to add static IP addresses to VMs in my existing network ?

If you try and create a VM with a static VM in a network that is assigned to an affinity group this will fail.  If you need to have this feature for an existing network the only way is to recreate the network , drop all the VMs (Do not delete the hard drives) then re-create the VMs using the existing hard drives within the new network.  You can still assign storage and virtual machines to an affinity group, just not the network at this time.

Environment and Requirements

My environment is an Azure subscription which has a regional network defined with subnets for each VM.  It also has a storage account to store the virtual machine VHD files and an affinity group which tells Azure which region I want to store my computer and storage objects.  Scripts are provided below.

You will also need to download and install the latest Azure PowerShell Module from here :- https://azure.microsoft.com/en-us/downloads/

to connect to your Azure subscription you could follow the guide here :

https://miteshc.wordpress.com/2014/03/04/getting-started-with-windows-azure-powershell/

 

Video Tutorial on Azure VM Static IP Addressing

I have created a 20 minute tutorial which takes you through the whole process to give you two domain controllers that are highly available and have static IP addresses.

Azure PowerShell Static IP highly available AD

 

Scripts

All three scripts provided below need to be copied individually and saved as .ps1 files.

The InstallWinRMCertAzureVM.ps1 file needs to be downloaded from the link here.  Save all ps1 files in c:\scripts for example and check locations in the scripts below if you change this.

http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe

Create the Static IP Domain Controller Virtual Machines

# Created by Mitesh Chauhan – July 2014.
# Purpose – Use this script to create new virtual machines with static IP Addresses
# Note – Currently this only works on regional networks and not networks created within an affinity group
# VMs and storage CAN be in affinity groups for static IP addressing to work, just not networks atm.# To UPDATE EXISTING VMS.  Example
# Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress 192.168.4.7 | Update-AzureVM

# You must remove the static IP before allocating a new static IP.
# REMOVE STATIC IP – $Get-AzureVM -ServiceName StaticDemo -Name VM2 | Remove-AzureStaticVNetIP | Update-AzureVM

#Get-AzurePublishSettingsFile
#Import-AzurePublishSettingsFile “D:\yoursettingsfilesdownloaded from above cmdlet”

#Set Subscription Name
$subscriptionname = ‘SharePoint BI Demos’

#Set VM and Network Variables
$Adminusername = “DemoAdmin”
$Adminpassword = “Changeme10000”
$dc1name = “StaticDC1”
$dc2name = “staticDC2”

# Choose a name that has not been used before you can check in GUI at vm creation time to check for existence.  As this is the internet routable name it gives your cloud service, it needs to be unique to the cloudapp.net domain.
$vmcloudservice = “MCDCCloudService”  $AvailabilitySetName  = ‘ADAVSet’

# Your virtual Network name
$vnetname = “mcstaticvnet”

# Set ImageName – Get latest Windows 2012 R2 Build.
$ws2012r2 = (Get-AzureVMImage | where ImageFamily -eq ‘Windows Server 2012 R2 Datacenter’ | select -last 1).ImageName

Set-AzureSubscription $subscriptionname -CurrentStorageAccountName “mcdemostore”
Select-AzureSubscription $subscriptionname

# Test for static IP registration
# Test-AzureStaticVNetIP –VNetName MCStaticVnet –IPAddress 10.0.0.5

# Configure VM Settings for a New Static IP VM DC1 –
# We are using the second IP address in the available pool (10.0.0.4-10.0.0.6) for this subnet to prove the VM is getting the correct IP by choice not default.
$myVM = New-AzureVMConfig -Name $dc1name -ImageName $ws2012r2 –InstanceSize “Small”  -AvailabilitySetName $AvailabilitySetName | Set-AzureSubnet –SubnetNames “DNS1” | Set-AzureStaticVNetIP -IPAddress 10.0.0.5 |
Add-AzureProvisioningConfig -adminusername $Adminusername -Windows -Password $Adminpassword |
Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

New-AzureVM –ServiceName $vmcloudservice -VMs $myvm –AffinityGroup “NEAffinityGroup” -VNetName $vnetname -WaitForBoot;

## SET RDP Endpoint Public Ports
################################
Get-AzureVM -ServiceName $vmcloudservice -Name $dc1name |
Set-AzureEndpoint -Name “RDP” -PublicPort 50000 -LocalPort 3389 -Protocol “tcp” |
Update-AzureVM

# Configure VM Settings for a New Static IP VM DC2
##################################################

$myVM2 = New-AzureVMConfig -Name $dc2name -ImageName $ws2012r2 –InstanceSize “Small”  -AvailabilitySetName $AvailabilitySetName | Set-AzureSubnet –SubnetNames “DNS2” | Set-AzureStaticVNetIP -IPAddress 10.0.0.13 |
Add-AzureProvisioningConfig -adminusername $Adminusername -Windows -Password $Adminpassword |
Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

#Provision VM – No VNET Name required for VM in an existing cloud service (created above in this example)
New-AzureVM –ServiceName $vmcloudservice -VMs $myvm2 -WaitForBoot;

# Set RDP Port for VM 2
Get-AzureVM -ServiceName $vmcloudservice -Name $dc2name |
Set-AzureEndpoint -Name “RDP” -PublicPort 50001 -LocalPort 3389 -Protocol “tcp” |
Update-AzureVM

#Remove static IP from VM1
## Get-AzureVM -ServiceName $vmcloudservice -Name $dc1name | Remove-AzureStaticVNetIP | Update-AzureVM

## Remote PowerShell connectivity

# Get Certificate. script source : http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe
Set-ExecutionPolicy Unrestricted -force
C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $dc1name

# Credentials for the VM
$cred = Get-Credential

$winRmUri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $dc1name
Invoke-Command -ConnectionUri $winRmUri.ToString() -Credential $cred -ScriptBlock {
Get-Disk |
Where-Object PartitionStyle -eq “RAW” |
Initialize-Disk -PartitionStyle MBR -PassThru |
New-Partition -UseMaximumSize -DriveLetter F |
Format-Volume -FileSystem NTFS -Confirm:$false
}

## Promote DC ##

#Run this to promote the server to the first DC
invoke-command -connectionuri $winRmUri -Credential $cred -filepath “c:\scripts\createdomaincontroller.ps1”

#########################
########Promote DC 2#####
#########################

# Get Certificate
Set-ExecutionPolicy Unrestricted -force
C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $dc2name

# Return back the correct URI for Remote PowerShell
$uri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $dc2name

# Credentials for the VM
$cred = Get-Credential

$winRmUri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $dc2name
Invoke-Command -ConnectionUri $winRmUri.ToString() -Credential $cred -ScriptBlock {
Get-Disk |
Where-Object PartitionStyle -eq “RAW” |
Initialize-Disk -PartitionStyle MBR -PassThru |
New-Partition -UseMaximumSize -DriveLetter F |
Format-Volume -FileSystem NTFS -Confirm:$false
}

## Add Second DC to Domain
invoke-command -connectionuri $uri -Credential $cred -filepath “c:\scripts\ADD_Domaincontroller.ps1”

 

New Forest Script

#
# Windows PowerShell script for AD DS Deployment
#Set-ExecutionPolicy RemoteSigned -Force

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “F:\Windows\NTDS” `
-DomainMode “Win2012” `
-DomainName “demo.local” `
-DomainNetbiosName “DEMO” `
-ForestMode “Win2012” `
-InstallDns:$true `
-LogPath “F:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “F:\Windows\SYSVOL” `
-Force:$true   `

 

Add Domain Controller to Forest

#
# Windows PowerShell script for AD DS Deployment
#Set-ExecutionPolicy RemoteSigned -Force
install-windowsfeature windows-server-backup

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment

Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath “F:\Windows\NTDS” `
-DomainName “Demo.local” `
-InstallDns:$true `
-LogPath “F:\Windows\NTDS” `
-NoRebootOnCompletion:$true `
-ReplicationSourceDC “Demo.local” `
-SiteName “Azure” `
-SysvolPath “F:\Windows\SYSVOL” `
-Force:$true `
-Credential $using:cred `
-Confirm:$false `

In the next blog and video we will look at setting up servers with Internal Network Load Balancing.

 

Thank you for following this article, let me know below if it was useful for you !

Advertisements

About Mitesh Chauhan
Mitesh Chauhan, Azure Cloud Solutions Architect. This is my blog where I share articles and thoughts on IT Infrastructure and architecture. The topics I am most passionate about are Implementation and architecture of rock solid Cloud Infrastructure based around SQL Server and Windows Server mainly using Microsoft Azure. MCTS - Azure Architecture MCTS - Azure Implementation MCSE Server Infrastructure (Windows Server 2012) , MCITP SQL Server 2008, Togaf Certified, Prince 2 Practitioner.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: