Windows Azure Training Kit - December 2012 Update

Deploying Active Directory in Windows Azure (PowerShell)


In this hands-on lab, you will walk through the steps required to deploy an Active Directory domain in the cloud and provision new virtual machines into this domain.


In this hands-on lab, you will learn how to:

  • Configure Virtual Networking
  • Deploy a Domain Controller
  • Create new Virtual Machines in the Domain


The following is required to complete this hands-on lab:


The Windows Azure PowerShell Cmdlets are required for this lab. If you have not configured them yet, please see the Automating VM Management hands-on lab in the Automating Windows Azure with PowerShell module.

Note: In order to run through the complete hands-on lab, you must have network connectivity.


This hands-on lab includes the following exercises:

  1. Configuring Virtual Networking
  2. Deploying the first Domain Controller
  3. Provisioning new Virtual Machines into the Domain

Estimated time to complete this lab: 60 minutes.

Getting Started: Obtaining Subscription's Credentials

In order to complete this lab, you will need your subscription's secure credentials. Windows Azure lets you download a Publish Settings file with all the information required to manage your account in your development environment.

Task 1 - Downloading and Importing a Publish-settings File

Note: If you have done these steps in a previous lab on the same computer you can move on to Exercise 1.

In this task, you will log on to the Windows Azure Portal and download the publish-settings file. This file contains the secure credentials and additional information about your Windows Azure Subscription to use in your development environment. Then, you will import this file using the Windows Azure Cmdlets in order to install the certificate and obtain the account information.

  1. Open an Internet Explorer browser and go to

  2. Sign in using the Microsoft Account associated with your Windows Azure account.

  3. Save the publish-settings file to your local machine.

    Downloading publish-settings file

    Downloading publish-settings file

    Note: The download page shows you how to import the publish-settings file using Visual Studio Publish box. This lab will show you how to import it using the Windows Azure PowerShell Cmdlets instead.

  4. In the start menu under Windows Azure, right-click Windows Azure PowerShell and choose Run as Administrator.

  5. Change the PowerShell execution policy to RemoteSigned. When asked to confirm press Y and then Enter.

    Set-ExecutionPolicy RemoteSigned

    Note: The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:

    • Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
    • AllSigned - Only scripts signed by a trusted publisher can be run.
    • RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
    • Unrestricted - No restrictions; all Windows PowerShell scripts can be run.

    For more information about Execution Policies refer to this TechNet article:

  6. The following script imports your publish-settings file and generates an XML file with your account information. You will use these values during the lab to manage your Windows Azure Subscription. Replace the placeholder with your publish-setting file's path and execute the script.

    Import-AzurePublishSettingsFile '[YOUR-PUBLISH-SETTINGS-PATH]'   
  7. Execute the following commands and take note of the Subscription name and the storage account name you will use for the exercise.

    Get-AzureSubscription | select SubscriptionName
    Get-AzureStorageAccount | select StorageAccountName 
  8. If you do NOT have a storage account returned above you should create one first.

    1. Run the following to determine the data center to create your storage account in. Ensure you pick a data center that shows support for PersistentVMRole.

    2. Create your storage account:

      New-AzureStorageAccount -StorageAccountName '[YOUR-SUBSCRIPTION-NAME]' -Location '[DC-LOCATION]'
  9. Execute the following command to set your current storage account for your subscription.

    Set-AzureSubscription -SubscriptionName '[YOUR-SUBSCRIPTION-NAME]' -CurrentStorageAccount '[YOUR-STORAGE-ACCOUNT]'

Exercise 1: Configuring Virtual Networking

Running an Active Directory Domain requires persistent IP addresses and for clients of the Active Directory Domain to point to an AD enabled DNS server. The default internal DNS service (iDNS) in Windows Azure is not an acceptable solution because the IP address assigned to each virtual machine is not persistent. For this solution you will define a virtual network where you can assign the virtual machines to specific subnets. Using this technique you can plan on what the IP address of a specific VM will be and know that it will be persistent.

The network configuration used for this lab defines the following:

  • A Virtual Network Named ADVNET with an address prefix of:
  • A subnet named ADSubnet with an address prefix of:
  • A subnet named AppSubnet with an address prefix of:

Task 1 - Creating an Affinity Group

  1. Execute the following command to retrieve the Available Data Center Locations.

    Get-AzureLocation | select name
  2. Define a variable ($dclocation) and set its value with the name of the data center you want to deploy to.

    $dclocation = '[YOUR-LOCATION]'
  3. The first step is to create an affinity group with the same name specified in ad-vnet.xml (adag).

    $affinityGroup = 'adag'
    New-AzureAffinityGroup -Name $affinityGroup -Location $dclocation
  4. Next, apply the virtual network settings in the file ad-vnet.xml under Source\Assets folder, to your subscription.

    $ConfigPath = 'c:\WATK\Labs\DeployingActiveDirectoryPS\Source\Assets\ad-vnet.xml' 
    Set-AzureVNetConfig -ConfigurationPath $ConfigPath 
  5. Create a storage account in the same affinity group as the virtual network. The storage account you create must be unique.

    New-AzureStorageAccount -StorageAccountName 'someuniquename' -AffinityGroup $affinityGroup

Exercise 2: Deploying the first Domain Controller

We can choose whether to use the Windows Azure Portal or PowerShell to provision the virtual machine that will be our domain controller. In this exercise, you will use PowerShell since you will be using it in the next exercise to demonstrate domain join automation.

Task 1 - Creating the First VM and Deployment with Networking Settings

  1. Run the following command to return the available images.

    Get-AzureVMImage | Select ImageName
  2. Choose one of the Windows Server 2008 R2 Images and specify it as the value to $imgname below.

    $imgname = 'ImageNameGoesHere'
  3. Next run the following commands to create the domain controller in the correct virtual network and subnet with an additional disk of 20 GB.

    $cloudsvc = 'some-unique-name'
    $vmname1 = 'ad-dc'
    $subnet = 'ADSubnet'
    $vnet = 'ADVNET'
    $pwd = '[YOUR-PASSWORD]'
    New-AzureVMConfig -Name $vmname1 -InstanceSize Small -ImageName $imgname |
        Add-AzureProvisioningConfig -Windows -Password $pwd |
        Set-AzureSubnet -SubnetNames 'ADSubnet' |
        Add-AzureDataDisk -CreateNew -DiskSizeInGB 20 -DiskLabel 'DITDrive' -LUN 0 |
        New-AzureVM -ServiceName $cloudsvc -AffinityGroup 'adag' -VNetName 'ADVNET'

Task 3 - Creating the Domain Controller

  1. Login to the newly created virtual machine in the Windows Azure Portal by clicking on Virtual Machines, the VM ad-dc, and click Connect at the bottom.

Note: Before connecting to the VM, you have to wait until it gets to the Running state.

  1. Once logged in, start a console session and run the command IPConfig and copy the IPv4 IP Address returned. You will use it later to provision new VMs in the domain.


    Virtual Machine IP

  2. Open Computer Management by going to Start | All Programs | Administrative Tools | Computer Management.

  3. Expand the Storage node and select Disk Management.

    Opening Disk Management

    Opening Disk Management

  4. Initialize Disk 2 by clicking OK in the Initialize Disk dialog.

    Initializing Disk

    Initializing the disk

  5. Right-click over the unallocated disk space and select New Simple Volume.

    Creating a new simple volume

    Creating a New Simple Volume

  6. Follow the New Simple Volume Wizard and set the Volume label to DIT. Click Finish. The disk will be formatted and ready to be used.

    Formatted disk

    Formatted disk

  7. Now, you will start the Active Directory Domain Services Installation Wizard. To do this, click start and run and type in DCPromo and press enter. Wait until the ADDS binaries are installed.


    Active Directory Domain Services Installation Wizard

  8. Click Next two times.

  9. Choose Create a new domain in a new forest and click Next.


    Creating a new domain in a new forest

  10. Name the Forest Root Domain and click Next.

    setting the domain name

    Setting the domain name

  11. Set the functional level to Windows Server 2008 R2. Click Next and wait until the process completes.


    Selecting the forest functional level

  12. Use the default selection to create a DNS server. Click Next.


    Selecting additional options

  13. Choose Yes, the computer will use an IP address automatically assigned by a DHCP server (not recommended).


    Using automatically assigned IP

    Note: Using Virtual Networks with Windows Azure IaaS the IP address has a lifetime of the virtual machine lease. Do NOT set the IP address to static.

  14. Since you are not integrating into an existing AD environment in this lab, click Yes.


    DNS Creation Warning

  15. Set the Database, Log files and the SYSVOL folders location to the recently formatted data disk (for example F:\NTDS for Database, F:\NTDSLogs for Logs and F:\SYSVOL for SYSVOL). Click Next to continue.


    Setting values for Database, Logs and SYSVOL folders

  16. Type in the same password used for provisioning the original machine and click Next.


    Setting Domain Administrator password

  17. Finally, click Next again and allow for Active Directory to be configured, this will take several minutes. When prompted to allow reboot choose Restart Now.

Exercise 3: Provisioning new Virtual Machines into the Domain

Once the domain controller has finished booting you will now be able to provision virtual machines and have them automatically join the domain when they are provisioned. This is accomplished by creating a new cloud service as the container for the new virtual machines. The DNS servers for the VMs can be automatically configured by specifying DNS settings during the initial deployment of the cloud service.

Task 1 - Provisioning a Virtual Machine that is Domain Joined on Boot

The example below demonstrates how you can automatically provision new virtual machines that are joined to the Active Directory domain at boot.

  1. Execute the following commands in the Windows Azure PowerShell console.

    Note: To get the IP Address of the Domain Controller, connect to the VM you have created. In a command prompt, enter IPConfig and copy the IPv4


    # Point to IP Address of Domain Controller Created Earlier
    $dns1 = New-AzureDns -Name 'ad-dc' -IPAddress '[Domain-Controller IP Address]'
    # Configuring VM to Automatically Join Domain
    $advm1 = New-AzureVMConfig -Name 'advm1' -InstanceSize Small -ImageName $imgname | 
        Add-AzureProvisioningConfig -WindowsDomain -Password '[YOUR-PASSWORD]' `
            -Domain 'contoso' -DomainPassword '[YOUR-PASSWORD]' `
             -DomainUserName 'administrator' -JoinDomain '' |
        Set-AzureSubnet -SubnetNames 'AppSubnet' 
    # New Cloud Service with VNET and DNS settings
    New-AzureVM -ServiceName '[SOMEUNIQUEAPPNAME]' -AffinityGroup 'adag' `
                            -VMs $advm1 -DnsSettings $dns1 -VNetName 'ADVNET' 

    Note: The Add-AzureProvisioningConfig also takes a -MachineObjectOU parameter which if specified (requires the full distinguished name in AD) allows for setting group policy settings on all of the virtual machines in that container.

    AD Architecture

    Resulting Architecture

  2. Once the VM is provisioned, connect to the newly created virtual machine in the Windows Azure Portal by clicking on Virtual Machines, select the VM, and click Connect at the bottom.

  3. Open the Initial Configuration Tasks and verify the domain is

    Initial configuration tasks

    Initial configuration tasks


In this lab, you walked through the steps of deploying a new Active Directory Domain using Windows Azure virtual machines and a simple virtual network. This lab also demonstrated how once in place virtual machines could be provisioned joined to the domain at boot time.

top of page