Fast Start for Microsoft Azure – Azure IaaS Foundation ...



-914400-914400Fast Start for Microsoft Azure – Azure IaaS FoundationFast Start for Microsoft Azure – Azure IaaS FoundationPOC Onboarding Implementation Guide DATE \@ "d-MMM-yy" \l \* MERGEFORMAT 6-Oct-1630-Sep-169-Oct-1523-Jan-15Version 2.30 FinalPrepared byMicrosoftTable of Contents TOC \o "1-3" \h \z \u HYPERLINK \l "_Toc409987898" 1Introduction PAGEREF _Toc409987898 \h 6 HYPERLINK \l "_Toc409987899" 2Pre-requisites PAGEREF _Toc409987899 \h 6 HYPERLINK \l "_Toc409987900" 3Setting Up the Microsoft Azure Site-to-Site VPN PAGEREF _Toc409987900 \h 6 HYPERLINK \l "_Toc409987901" 3.1Create a Microsoft Azure Virtual Network PAGEREF _Toc409987901 \h 6 HYPERLINK \l "_Toc409987902" 3.2Start the Gateway PAGEREF _Toc409987902 \h 11 HYPERLINK \l "_Toc409987908" 3.3Configure the VPN Device PAGEREF _Toc409987908 \h 15 HYPERLINK \l "_Toc409987909" 3.3.1Software VPN device (aka Windows Server 2012 RRAS preferred option) PAGEREF _Toc409987909 \h 15 HYPERLINK \l "_Toc409987910" 3.3.2Hardware VPN device PAGEREF _Toc409987910 \h 17 HYPERLINK \l "_Toc409987911" 4Setting Up the Microsoft Azure Point-to-Site VPN PAGEREF _Toc409987911 \h 18 HYPERLINK \l "_Toc409987913" 4.1Create a virtual network PAGEREF _Toc409987913 \h 20 HYPERLINK \l "_Toc409987914" 4.2Create a dynamic routing gateway PAGEREF _Toc409987914 \h 21 HYPERLINK \l "_Toc409987915" 4.3Generate the VPN self-signed root certificate PAGEREF _Toc409987915 \h 21 HYPERLINK \l "_Toc409987916" 4.4Generate the client certificate PAGEREF _Toc409987916 \h 21 HYPERLINK \l "_Toc409987917" 4.5Export the self-signed root certificate PAGEREF _Toc409987917 \h 22 HYPERLINK \l "_Toc409987918" 4.6Export the client certificate PAGEREF _Toc409987918 \h 22 HYPERLINK \l "_Toc409987919" 4.7Upload the root certificate PAGEREF _Toc409987919 \h 22 HYPERLINK \l "_Toc409987920" 4.8Install the client certificate PAGEREF _Toc409987920 \h 22 HYPERLINK \l "_Toc409987921" 4.9Create the VPN client configuration package PAGEREF _Toc409987921 \h 22 HYPERLINK \l "_Toc409987922" 4.10Install the VPN configuration package on the client PAGEREF _Toc409987922 \h 23 HYPERLINK \l "_Toc409987923" 4.11Start the VPN connection PAGEREF _Toc409987923 \h 24 HYPERLINK \l "_Toc409987924" 4.12Verify the VPN connection PAGEREF _Toc409987924 \h 24 HYPERLINK \l "_Toc409987925" 5Extending On-Premises Active Directory to Microsoft Azure PAGEREF _Toc409987925 \h 25 HYPERLINK \l "_Toc409987926" 5.1Provision a New Virtual Machine PAGEREF _Toc409987926 \h 25 HYPERLINK \l "_Toc409987927" 5.1.1Create a Storage Account PAGEREF _Toc409987927 \h 25 HYPERLINK \l "_Toc409987928" 5.1.2Create a Virtual Machine and Deploy to Virtual Network PAGEREF _Toc409987928 \h 27 HYPERLINK \l "_Toc409987929" 5.2Install a Replica Domain Controller in Microsoft Azure Virtual Network PAGEREF _Toc409987929 \h 34 HYPERLINK \l "_Toc409987930" 5.2.1Create Sites and Subnets PAGEREF _Toc409987930 \h 34 HYPERLINK \l "_Toc409987931" 5.2.2Install an Additional Domain in the Cloud Site PAGEREF _Toc409987931 \h 38 HYPERLINK \l "_Toc409987932" 5.2.3Validate the Installation PAGEREF _Toc409987932 \h 45 HYPERLINK \l "_Toc409987933" 5.3Provision a domain joined virtual machine on boot PAGEREF _Toc409987933 \h 45 HYPERLINK \l "_Toc409987934" 5.3.1Install Azure PowerShell PAGEREF _Toc409987934 \h 45 HYPERLINK \l "_Toc409987935" 5.3.2VM Create and Domain Join Script PAGEREF _Toc409987935 \h 45 HYPERLINK \l "_Toc409987936" 5.3.3Test authentication and authorization PAGEREF _Toc409987936 \h 461Introduction62Pre-requisites63Setting Up the Microsoft Azure Site-to-Site VPN63.1Create a Microsoft Azure Virtual Network63.2Start the Gateway123.3Configure the VPN Device153.3.1Software VPN device (aka Windows Server 2012 RRAS preferred option)153.3.2Hardware VPN device174Setting Up the Microsoft Azure Point-to-Site VPN184.1Create a virtual network194.2Create a dynamic routing gateway214.3Generate the VPN self-signed root certificate214.4Generate the client certificate214.5Export the self-signed root certificate224.6Export the client certificate224.7Upload the root certificate224.8Install the client certificate224.9Create the VPN client configuration package224.10Install the VPN configuration package on the client234.11Start the VPN connection234.12Verify the VPN connection245Connecting the Private Cloud to Microsoft Azure with App Controller246Extending On-Premises Active Directory to Microsoft Azure256.1Provision a New Virtual Machine256.1.1Create a Storage Account256.1.2Create a Virtual Machine and Deploy to Virtual Network286.2Install a Replica Domain Controller in Microsoft Azure Virtual Network356.2.1Create Sites and Subnets356.2.2Install an Additional Domain in the Cloud Site396.2.3Validate the Installation466.3Provision a domain joined virtual machine on boot466.3.1Install Azure PowerShell466.3.2VM Create and Domain Join Script466.3.3Test authentication and authorization47IntroductionThis document covers the steps required to enable a Microsoft hybrid cloud comprised of an existing environment in an on-premises Lab\POC environment LAN network, Virtual Machine in Microsoft Azure, and an Azure-approved VPN device in a lab or POC environment.This document is designed to assist the resources responsible for delivering this solution. Pre-requisitesThe following pre-requisites are required in the lab or POC environment:An existing domain with all domain services configured (DNS, etc.) - OPTIONALA Microsoft Azure subscriptionAn approved Azure VPN device. See HYPERLINK "" HYPERLINK "" link for more infoCustomer’s Network Administrator should have set aside several IP subnets, per scoping email.This guide suggests IP address ranges and names that are used (Section 3 only) for demonstration purposes. When delivering to customers, you should spend adequate time ensuring that the address spaces and names used are appropriate for the customer environment (I.e. no IP address range overlaps).Setting Up the Microsoft Azure Site-to-Site VPNThis section is included for convenience but should always be compared against the most current guidance. At the time of this writing you can find the published article here: HYPERLINK "" HYPERLINK "" contact HYPERLINK "mailto:Roan.Daley@" HYPERLINK "mailto:Kevin.Robinson@" Kevin.Robinson@Roan.Daley@ about any recent discrepancies. Thanks.Create a Microsoft Azure Virtual NetworkPlease review the “HYPERLINK "" HYPERLINK "" Virtual Network Overview” if you are not familiar with the reasons or rational for creating a Virtual Network within Azure.Log in to the Microsoft Azure Management Portal.In the lower left-hand corner of the screen, click New.In the navigation pane, click Network Services, and then click Virtual Network, then Custom Create.On the Virtual Network Details screen, enter the following information, and then click the next arrow.NAME: Type YourVirtualNetwork.AFFINITY GROUP: From the drop-down list, select Create a new affinity group. Affinity groups are a way to physically group Microsoft Azure services together at the same data center to increase performance. Only one virtual network can be assigned an affinity group.REGION: From the drop-down list, select the desired region. Your virtual network will be created at a datacenter located in the specified region.AFFINITY GROUP NAME: Type YourAffinityGroup.On the Address Space and Subnets screen, enter the following information, and then click the next arrow. Address space must be a private address range, specified in CIDR notation 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 (as specified by RFC 1918).NOTE: After adding each address space, click the plus button.ADDRESS SPACE: Type 10.4.0.0/16.SUBNETS: Enter the following:FrontEndSubnet, 10.4.2.0/24BackEndSubnet, 10.4.3.0/24ADDNSSubnet, 10.4.4.0/24On the DNS Servers and Local Network screen, enter the following information, and then click the forward arrow.DNS SERVERS: Type YourDNS, 10.1.0.4.Configure connection to local networkSite-to-site VPN: Check this box.GATEWAY SUBNET: Type 10.4.1.0/24.LOCAL NETWORK: Select the default Create a new local network. You will not see this dropdown depending on if you already have local networks defined or not.If Express Route is being used, follow the guidance at HYPERLINK "" HYPERLINK "" On the Create New Local Network screen, enter the following information, and then click the check mark in the lower right-hand corner. Your virtual network will be created in a few minutes.NOTE: You get the VPN Device IP Address from your network administrator.NAME: Type YourCorpHQ.VPN DEVICE IP ADDRESS: Enter the public IP address of your VPN device. The device should not be behind a NAT.ADDRESS SPACE: Type 10.1.0.0/16, then click on the + sign to “add address space” if you had to add any additional local networks.On the Address Space and Subnets screen, enter the following information, and then click the next arrow. Address space must be a private address range, specified in CIDR notation 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 (as specified by RFC 1918).NOTE: After adding each address space, click the plus button.ADDRESS SPACE: Type 10.4.0.0/16.SUBNETS: Enter the following:FrontEndSubnet, 10.4.2.0/24BackEndSubnet, 10.4.3.0/24ADDNSSubnet, 10.4.4.0/24GATEWAY SUBNET: Type 10.4.1.0/24Use Add Subnet button after entering each subnet. NOTE: CIDR’s sometimes change with next entry, so pay close attention.GATEWAY SUBNET: Type 10.4.1.0/29.Use Add Gateway Subnet button after enteringNOTE: Use “X” to delete any unwanted subnets.Click “√“ Check√“ Check Mark in the bottom right corner when done.You now have a virtual network in Microsoft Azure, which you can see on the portal's Virtual Network tab.Start the GatewayThis section is included for convenience but should always be compared against the most current guidance. At the time of this writing you can find the published article here: HYPERLINK "" HYPERLINK "" Please contact HYPERLINK "mailto:rodaley@" Roan.Daley@Kevin.Robinson@ about any recent discrepancies. Thanks.When your virtual network has been created, the networks screen will show the Status is Created.In the Name column, click YourVirtualNetwork to open the dashboard.On the Dashboard page, on the bottom of the page, click Create Gateway. When prompted to confirm you want the gateway created, click YES.When the gateway creation starts, you will see the message as shown in the screenshot below.It may take up to 15 minutes for the gateway to be created.After the gateway has been created, you need to gather some information to send to your network administrator so they can configure the VPN device. The next steps walk you through this process. PLEASE NOTE: If you are performing this lab for accreditation knowledge measure you do not have a real VPN device therefore this section will not complete. Simply treat the Master trainer as your Network Administrator in step 10.On the dashboard, copy the Gateway IP Address: 38331651945843Click on CONNECT to Connect the new GatewayGet the Shared Key. Click MANAGE KEY at the bottom of the dashboard, and then copy the SHARED KEY in the dialog box.On the dashboard, click DOWNLOAD Download the VPN configuration filedevice script. On the dashboard, click DOWNLOAD.On the Download VPN Device Config Script dialog, select the vendor, platform, and operating system for your company's VPN device. Click the check button and save the file.For additional supported VPN devices and script templates, see About VPN Devices for Virtual Network.Send your network administrator the following information:Gateway IP addressShared keyVPN configuration scriptOptionally, you can export your Network Configuration file for future use.By HYPERLINK "" Configuring a Network Configuration File and HYPERLINK "" Import a Network Configuration FileConfigure the VPN DeviceFor the purpose of this POC we will present both options, the one for software VPN server (Windows Server 2012 RRAS) and the one for Hardware VPN. This procedure should be done by your network administrator. Software VPN device (aka Windows Server 2012 RRAS preferred option)Make sure the script you downloaded for VPN server is for Windows Server 2012 RRAS:Vendor: Microsoft CorporationPlatform: RRASOperating System: Windows Server 2012To configure the VPN device:Edit the VPN configuration script in Notepad, and replace the variable values with the actual ones.Replace?<SP_AzureGatewayIpAddress> with the IP address of the Azure gatewayReplace?<SP_AzureNetworkCIDR> with the network CIDR that was defined when creating the new Virtual NetworkSave the file as a *.ps1 file and execute it on the server. This will install (if not already installed) RRAS and configure the site to site VPN:The error message can be ignored. Wait a few seconds and open RRAS to see the result (the interface should have connected by now):Go back to the Azure portal, open the Virtual Network and press the Connect button. Azure will initiate the VPN connection between the on-premises network and the Virtual Network:IMPORTANT: The VPN must be working before moving to the next step.Hardware VPN deviceBecause each VPN hardware device is different, this is only a high-level procedure that we expect customer network administrator to perform. We propose here a step by step with CISCO device, any other hardware device will have a very similar approach. NOTE: This section is purely for your education, you are not expected to know how to configure customer’s VPN device.The configuration can be done either in a GUI or through a telnet connection.For more information, see Establish a Site-to-Site VPN Connection and your VPN device documentation.To configure the VPN device:Ensure the router has a valid external-facing IP address and internal-facing IP address.Verify the router can communicate to the internet directly by testing a packet trace to Azure or another external website.Modify the VPN configuration script and customize it to your environment and your Azure subscription. A sample is attached: In the GUI or in the Telnet session, you will configure the following:Security policiesIncoming tunnelOutgoing tunnelSAMPLE Telnet session for configurationGet into router interfaceType #enable and enter the password when promptedType #configure terminalPaste in the config scriptType #show config to verify config was appliedExit out of config#copy running-config startup-configTest your connection by running one of the following commands:Cisco ASACisco ISR/ASRJuniper SSG/ISGJuniper SRX/JCheck main mode SAsshow crypto isakmp sashow crypto isakmp saget ike cookieshow security ike security-associationCheck quick mode SAsshow crypto ipsec sashow crypto ipsec saget sashow security ipsec security-associationIMPORTANT: The VPN must be working before moving to the next step.Setting Up the Microsoft Azure Point-to-Site VPNThis section is included for convenience but should always be compared against the most current guidance. At the time of this writing you can find the published article here: HYPERLINK "" HYPERLINK "" Please contact HYPERLINK "mailto:Kevin.Robinson@" Kevin.Robinson@Rodaley@ about any recent discrepancies. Thanks.The Microsoft Azure point-to-site VPN allows you to setup VPN connections between individual computers and a Microsoft Azure virtual network without the need for a VPN device. This feature is called Point-to-Site Virtual Private Networking. This feature greatly simplifies setting up secure connections between Microsoft Azure and client machines, whether from an office environment or from remote locations. It is especially useful for developers who want to connect to a Microsoft Azure Virtual Network (and to the individual virtual machines within it) from either behind their corporate firewall or a remote location. Because it is point-to-site they do not need their IT staff to perform any activities to enable it, and no VPN hardware needs to be installed or configured. Instead you can just use the built-in Windows VPN client to tunnel to your Virtual Network in Microsoft Azure. This tunnel uses the Secure Sockets Tunneling Protocol (SSTP) and can automatically traverse firewalls and proxies, while giving you complete security.Here’s a visual representation of the point-to-site scenarios enabled:The Virtual Network creation wizard in the Microsoft Azure Management Portal has been updated so that you can now configure it to enable both ‘Site-to-Site’ and ‘Point-to-Site’ VPN options.?There are 3 main parts to configuring a point-to-site VPN. Each section of this topic will walk you through the tasks necessary, in order.Virtual Network and the virtual network gateway - First, you must configure the virtual network itself and the virtual network gateway. These steps can be accomplished by using the Management Portal.Certificates - Next, certificates must be generated and exported. The root certificate must then be uploaded to the Management Portal. The client certificate must be installed to each client computer that you want to connect to the VPN. VPN client configuration - After the certificates are uploaded and installed, you can create, download, and install the client VPN configuration package. Once the package is installed, the VPN software on your client computer is configured to create a secure connection with your virtual network.In order to create a point-to-site VPN, you’ll need to first create a virtual network and a dynamic routing gateway. These procedures help you create the required virtual network configuration in the Management Portal. After completing this procedure, you’ll then create and distribute certificates to each client computer as well as configure the client computers with the proper VPN settings. For information and explanations about each setting available for virtual networks in the management portal wizard, see HYPERLINK "" HYPERLINK "" About Configuring a Virtual Network in the Management Portal. During this procedure, you will also create a dynamic routing gateway. A dynamic routing gateway is required for site-to-point VPNs. For more information about dynamic routing and VPNs, see HYPERLINK "" About VPN Devices for Virtual Network.Create a virtual networkLog in to the Microsoft Azure Management Portal.In the lower left-hand corner of the screen, click New. In the navigation pane, click Networks, and then click Virtual Network. Click Custom Create to begin the configuration wizard.On the Virtual Network Details page, enter the following information, and then click the next arrow on the lower right. For more information about the settings on the details page, see HYPERLINK "" HYPERLINK "" \l "BKMK_VirtualNetworkDetailsPage" Virtual Network Details page.Name Region Affinity Group Affinity Group Name On the DNS Servers and VPN Connectivity page, enter the following information, and then click the next arrow on the lower right. Note: You can select both Point-To-Site and Site-To-Site configurations from this page. For the purposes of this topic, we will select to configure only Point-To-Site. For more information about the settings on this page, see HYPERLINK "" \l "BKMK_DNSServersandVPNpage" DNS Servers and VPN Connectivity page.DNS Servers Configure Point-To-Site VPN (select checkbox)On the Point-To-Site Connectivity page, enter the following information and then click the next arrow. For more information about the settings on this page, see HYPERLINK "" \l "BKMK_PointToSitePage" Point-To-Site Connectivity page.Address Space, including Starting IP and CIDR (Address Count)Add address space, if required for your network design.On the Virtual Network Address Spaces page, enter the following information and then click the checkmark on the lower right to configure your network. For more information about the settings on this page, see HYPERLINK "" \l "BKMK_AddressSpace" Virtual Network Address Spaces page.Address Space, including Starting IP and Count.Add subnet, including Starting IP and Count. Only if required for your network design.Add gateway subnet, including Starting IP and Count. Required for this configuration.After clicking the checkmark, your virtual network will begin to create. When your virtual network has been created, you will see Created listed under Status on the networks page in the Management Portal. Once your virtual network has been created, continue with the next procedure.Create a dynamic routing gatewayIn the Management Portal, on the Networks page, click the virtual network that you just created, and navigate to the Dashboard page.Click Create Gateway, located at the bottom of the Dashboard page. A message will appear asking Do you want to create a gateway for virtual network ‘yournetwork’. Click Yes to begin creating the gateway.In order to authenticate VPN clients, certificates must be created and exported. You must generate a self-signed root certificate and client certificates chained to the self-signed root certificate. You can then install the client certificates with private key on every client computer that requires connectivity.Use Certificate Creation Tool (makecert.exe) to create an X.509 certificates. MakeCert is part of the Windows SDK. For more information about using makecert, see HYPERLINK ""HYPERLINK "(v=vs.110).aspx"MakeCert. Another alternative tool for creating Self-Signed Certificates is OPENSSL ( HYPERLINK "" ).For more general information in handling certificates in the Windows Operating System, refer to “ HYPERLINK "(v=vs.110).aspx" Working with Certificates”.Generate the VPN self-signed root certificateOpen the Visual Studio Command Prompt window as an administrator.Change the directory to the location where you want to save the certificate file.Type the command listed below, where <RootCertificateName> is the name that you want to use for the certificate. It must have a .cer extension. See HYPERLINK "" HYPERLINK "(v=vs.110).aspx" MakeCert for more information about using this tool.makecert -sky exchange -r -n "CN=<RootCertificateName>" –pe -a sha1 -len 2048 -ss MyYou will later upload the root certificate to the Microsoft Azure Management Portal.Generate the client certificateEnsure you have completed the previous steps to create a self-signed root certificate.Note: You can generate as many client certificates as needed based on this procedure. It’s recommended that you create unique client certificates for each computer that you want to connect to the virtual network.Open a Visual Studio Command Prompt window as administrator. This is best performed on the same computer that you used to create the root certificate. The root certificate is needed in order to generate the client certificate.Change the directory to the location where you want to save the certificate file. Verify that a copy of the root certificate exists in the folder. <RootCertificateName> refers to the certificate that you generated in the previous step.Type the following command:makecert.exe -n "CN=<CertificateName>" -pe -sky exchange -m 96 -ss My -in "<RootCertificateName>" -is my -a sha1 Note: All certificates are stored in your personal certificate store on your computer. Check HYPERLINK "" \l "1TC=windows-7" certmgr.msccertmgr.msc to verify.Export the self-signed root certificateTo export the root certificate, use certmgr.msc. Right click on the certificate that you want to export, click all tasks, and then click export.Export the root certificate as a public cert. Do not export the private key. Save the root certificate as .cer.Export the client certificateTo export the client certificates, use certmgr.msc. Right click on the client certificate that you want to export, click all tasks, and then click export.Export the client certificate with the private key. This will be a .pfx file. Make sure to record or remember the password (key) that you set for this certificate.Upload the root certificateUpload the root certificate you exported to the Microsoft Azure portal. Verify that the certificate is in .cer format and that you are uploading the root certificate and not a chained client certificate.In the Management Portal, on the Dashboard page for your virtual network, navigate to the quick glance menu in the right corner and click Upload client certificate. In this step, for this release, even though the interface says upload client certificate, you will upload the root certificate.On the Upload Certificate page, browse for the .cer VPN root certificate file that you exported and then click the checkmark.Note: The certificate you will upload is the .cer root certificate, not the VPN client certificate.Install the client certificateA client certificate must be installed on every computer that you want to connect to the virtual network. On the client computer, double-click the .pfx file in order to install it. Enter the password when requested. Do not modify the installation location.Once the client certificate has been installed, you can start the VPN client configuration.Create the VPN client configuration packageBefore you create the VPN client configuration package, verify the following:Verify that the virtual network gateway has been successfully created. You will see an IP address for your VPN gateway displayed in the portal.Verify that you have successfully uploaded your client root certificate successfully.Verify that you have exported the client certificate with key and have installed it in the computers you wish to connect to the virtual network.In the Management Portal, on the Dashboard page for your virtual network, navigate to the quick glance menu in the right corner and click the VPN package that pertains to the client that you want to connect to your virtual network. The following client operating systems are supported:Windows 7 (32-bit and 64-bit)Windows Server 2008 R2 (64-bit only)Windows 8 (32-bit and 64-bit)Windows Server 2012 (64-bit only)Select the download package that corresponds to the client operating system on which it will be installed:For 32-bit clients, select Download x86 Client VPN PackageFor 64-bit clients, select Download AMD64 Client VPN PackageIt will take a few minutes to create your client package. Once the package has been completed, you will be able to download the file. The .exe file that you download can be safely stored on your local computer.After you generate and download the VPN client package from the Management Portal, you can install the client package to the computer that you want to connect to your virtual network. Verify sure that you have installed the client certificate with key to the local client computer before proceeding. The VPN client package contains configuration information to configure the VPN client software built into Windows. The package does not install additional software.Note: The VPN client configuration package is not signed by Microsoft. You may wish to sign the package using your organization’s signing service or sign it yourself using SignTool. It’s OK to use the package without signing. However, if the package isn’t signed, a warning will appear when you install the package.Install the VPN configuration package on the clientCopy the configuration file locally to the computer that you want to connect to your virtual network and double click the *.exe file.Once the configuration has completed, you can start the VPN connection.Start the VPN connectionOn the client computer, verify the following:Verify that the root certificate is in the My store trusted root. For example: Trusted Root Certification/Certificates.Verify that the client certificate private key is installed in the certificate My store. For example: Console Root/Current User/ Personal/Certificates.On the client computer, navigate to VPN connections, locate the VPN connection for this your virtual network, and click Connect.A pop up message will appear which is used to create a self-signed cert for the Gateway endpoint. Click Continue to use elevated privileges.On the Connection status page, click Connect in order to start the connection.On the Select Certificate screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use the dropdown arrow to select the correct certificate, and then click OK.You are now connected to your virtual network and have full access to any service and virtual machine hosted in your virtual network.Verify the VPN connectionTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all. View the results. The results should show something similar to this:PPP adapter mahenntestnetwork2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : mahenntestnetwork2 Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.130.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : EnabledExtending On-Premises Active Directory to Microsoft AzureProvision a New Virtual MachineFor more info, use this link: a Storage AccountThis section is included for convenience but should always be compared against the most current guidance. At the time of this writing you can find the published article here: HYPERLINK "" Please contact HYPERLINK "mailto:Kevin.Robinson@" Kevin.Robinson@Rodaley@ about any recent discrepancies. Thanks.For more information on Azure Storage, read “ HYPERLINK "" Introduction to Microsoft Azure Storage”.After you have created your virtual network in the Microsoft Azure Portal, on the lower left-hand corner of the screen, click New.In the navigation pane, click DATA SERVICES, STORAGE, and then QUICK CREATE.Enter the following information, and then click the check mark on the bottom right of the screen.URL: Type yourstorage.REGION/AFFINITY GROUP: From the drop-down list, select YourAffinityGroup.ENABLE GEO-REPLICATION: Leave this box checked.On the Storage page, the STATUS column will display Online when the process is complete.Create a Virtual Machine and Deploy to Virtual NetworkThis section is included for convenience but should always be compared against the most current guidance. At the time of this writing you can find the published article here: HYPERLINK "" Please contact HYPERLINK "mailto:Kevin.Robinson@" Kevin.Robinson@Rodaley@ about any recent discrepancies. Thanks.After you have created your storage account, on the lower left-hand corner of the screen, click New.In the navigation pane, click COMPUTE, VIRTUAL MACHINE, and then click FROM GALLERY.On the VM OS Selection screen, select Windows Server 201208 R2 SP1, October 2012 (or the most recent version available), and then click the next arrow.On the Virtual machine configuration screen, enter the following information, and then click the next arrow. Tip: Write down the user name and password because these are the credentials you will use to log in to your new virtual machine.VERSION RELEASE DATE: Select the latest VersionVIRTUAL MACHINE NAME: Type YourVMachine.TIER : Chose StandardNEW USER NAME: Read-only. Enter Administrator User NameNEW PASSWORD: Enter a strong password.CONFIRM PASSWORD: Re-enter password.SIZE: Select Small.On the next Virtual machine mode screen, enter the following information, and then click the next arrow.CLOUD SERVICE: Create a Cloud Service Standalone Virtual Machine: Leave this option selected.CLOUD SERVICE DNS NAME: Type yourcloudapplication.REGION/AFFINITY GROUP/VIRTUAL NETWORK: From the drop-down list, select YourVirtualNetwork.VIRTUAL NETWORK SUBNETS: Select FrontEndSubnet.You should select at least one subnet and DO NOT select the gateway subnet.STORAGE ACCOUNT: Select yourstorage.AVAILABILITY SET: Select none.STORAGE ACCOUNT: Select yourstorage.REGION/AFFINITY GROUP/VIRTUAL NETWORK: From the drop-down list, select YourVirtualNetwork.On the Virtual machine options next screen, check Install the VM Agent enter the following information, and then click the check mark button. Your virtual machine will now be created. It can take up to 10 minutes for the new machine to be created.AVAILABILITY SET: Select none.VIRTUAL NETWORK SUBNETS: Select FrontEndSubnet.You should select at least one subnet and DO NOT select the gateway subnet.When your virtual machine has been created, on the virtual machines screen, the STATUS will be Running.In the navigation pane, click ALL ITEMS. All your objects you've created will be displayed with their current status.Navigate to Virtual Machines in the Azure Portal.Select the virtual machine created in the last section.At the button of the management portal select Attach -> Attach Empty Disk.Enter the desired size of the disk.Configure the cache option to NONE. Continue to create and attach the new disk. Connect to the virtual machine from the Azure Portal.Enter the Administrator credentials.Initialize and format the data disk in Disk Management. Install a Replica Domain Controller in Microsoft Azure Virtual NetworkThis section is included for convenience but should always be compared against the most current guidance. At the time of this writing you can find the published article here: HYPERLINK "" NOTE: We have already created an Azure Virtual Network, so step 2 can be ignored.The “ HYPERLINK "" Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines” is required reading to support this section.Please contact HYPERLINK "mailto:Kevin.Robinson@" Kevin.Robinson@Rodaley@ about any recent discrepancies. Thanks.To install a new Active Directory forest in Microsoft Azure – use this linkTo install an additional (Replica) domain controller from your existing Active Directory forest on a virtual machine (VM) on HYPERLINK "" Microsoft Azure Virtual NetworkMicrosoft Azure Virtual Network, follow HYPERLINK "" these instructions. In this configuration, the virtual network for the AD VM is connected to the network at your company via the VPN connection.The VPN connection must be active and verified before you can proceed with this step. (For more detailed info, use this HYPERLINK "" link).Create Sites and SubnetsOn YourPrimaryDC, click Start, click Administrative Tools and then click Active Directory Sites and Services.Click Sites, right-click Subnets, and then click New Subnet.In Prefix: type 10.1.0.0/24, select the Default-First-Site-Name site object and click Ok.Right-click Sites and click New Site.cloudIn Name: type CloudSite, select DEFAULTIPSITELINK and click OK.Click OK to confirm the site was created.Right-click Subnets, and then click New Subnet.In Prefix::,Prefix: type 10.4.2.0/24, select the CloudSite site object and click OKInstall an Additional Domain in the Cloud Site using Server ManagerLIn Server Manager, click Manage and click Add Roles and Features to start the Add Roles Wizard. On the Before you begin page, click Next. On the Select installation type page, click Role-based or feature-based installation and then click Next. On the Select destination server page, click Select a server from the server pool, click the name of the server where you want to install AD DS and then click Next.To select remote servers, first create a server pool and add the remote servers to it. For more information about creating server pools, see On the Select server roles page, click Active Directory Domain Services, then on the Add Roles and Features Wizard dialog box, click Add Features, and then click Next. On the Select features page, select any additional features you want to install and click Next. On the Active Directory Domain Services page, review the information and then click Next. On the Confirm installation selections page, click Install. On the Results page, verify that the installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard. On the Deployment Configuration page, click Add a domain controller to an existing domain, and type the name of the domain (for example, root.) og on to YourVMachine, click Start, type dcpromo, and press ENTER.On the Welcome page, click Next.On the Operating System Compatibility page, click Next.On Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and click Next.On the Network Credentials pageDomain Controller Options page, select you Site name to be CloudSite and set a DSRM password.make sure you are installing the domain controller in corp. domain and 56934344637On DNS Options click NextOn Additional Options click NextOn the Paths page place, the files on the data disk that you created previously.type credentials of a member of the Domain Admins group (or use corp\administrator credentials).On the Select a Domain page, click Next.On the Select a Site page, make sure that CloudSite is selected and click Next.On the Additional Domain Controller Options page, click Next.On the Static IP assignment warning, click Yes, the computer will use an IP address automatically assigned by a DHCP server (not recommended)ImportantAlthough the IP address on the Microsoft Azure Virtual Network is dynamic, its lease lasts for the duration of the VM. Therefore, you do not need to set a static IP address on the domain controller that you install on the virtual network. Setting a static IP address from inside the VM will cause communication failures. To set a static IP address for a VM follow the guidance here: HYPERLINK "" When prompted about the DNS delegation warning, click Yes.On the Location for Active Directory database, log files and SYSVOL page, click Browse and type or select a location on the data disk for the Active Directory files and click Next.On the Review Options Directory Services Restore Administrator page, type and confirm the DSRM password and click Next.On the Perquisites CheckSummary page, click NextInstall (if all checks have been passed).After the Active Directory Installation Wizard finishes, click Finisyour computer will restarth and then click Restart Now to complete to completethe installation.20955962863383Validate the InstallationReconnect to the VM.Click Start, right-click Command Prompt and click Run as Administrator.Type the following command and press ENTER: 'Dcdiag /c /v'Verify that the tests ran successfully.After the DC is configured, run the following Windows PowerShell cmdlet to provision additional virtual machines and have them automatically join the domain when they are provisioned. The DNS client resolver settings for the VMs must be configured when the VMs are provisioned. Substitute the correct names for your domain, VM name, and so on.Provision a domain joined virtual machine on bootInstall Azure PowerShellPlease refer to the DCS_DIM_Hybrid Cloud - IaaS PowerShell Guide for details about setting up Microsoft Azure PowerShell.VM Create and Domain Join ScriptTo create an additional virtual machine that is domain-joined when it first boots, open Microsoft Azure PowerShell ISE, paste the following script:# # Point to IP Address of Domain Controller Created Earlier $dns1 = New-AzureDns -Name '[DC-NAME]' -IPAddress '[IP ADDRESS]'# Configuring VM to Automatically Join Domain $advm1 = New-AzureVMConfig -Name 'advm1' -InstanceSize Small -ImageName $imgname | Add-AzureProvisioningConfig -WindowsDomain -Password '[YOUR-PASSWORD]' ` -Domain 'contoso' -DomainPassword '[YOUR-PASSWORD]' ` -DomainUserName 'administrator' -JoinDomain '' | Set-AzureSubnet -SubnetNames 'AppSubnet' # New Cloud Service with VNET and DNS settingsNew-AzureVM –ServiceName 'someuniqueappname' -AffinityGroup 'adag' ` -VMs $advm1 -DnsSettings $dns1 -VNetName 'ADVNET'The portion highlighted in yellow is extremely important as it allows propagating DNS server IP address to all the VM on the network (through DHCP). Without it, the VM could not register to the domain.Test authentication and authorizationIn order to test authentication and authorization, create a domain user account in Active Directory. Log on to the client VM in each site and create a shared folder on the VMTest access to the shared folder using different accounts and groups and permissions. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download