Portfolio Project: Amechi Akpom

Setting Up and Managing Active Directory in Azure

In this demonstration, I walk through setting up a Windows Server domain controller in the cloud with Microsoft Azure. I also create a client virtual machine and connecting it to my domain.

I set up and configure the domain controller, ensuring connectivity between the client and the domain controller, and dive into the installation of Active Directory. I also create both admin and regular user accounts, connect my client to the domain, and establish remote desktop access for my non-admin users. I then add a few extra users to test out the client login.

When I’m done, I have a fully functional domain controller and client VM, complete with multiple user accounts and remote desktop access capabilities.

Video Demonstration

Environments and Technologies Used

  • Microsoft Azure: A cloud computing platform by Microsoft that provides virtual machines and other resources.

  • Resource Group: A logical container for resources deployed within an Azure subscription.

  • Virtual Machines (VMs): Virtualized computing resources that run operating systems and applications.

  • Windows Server 2022: A Microsoft server operating system used for the Domain Controller.

  • Windows 10: A Microsoft operating system used for the client machine.

  • Active Directory Domain Services (AD DS): A directory service for managing and organizing resources and user accounts within a domain.

  • Organizational Units (OUs): Containers within AD DS used to organize and manage objects such as users, groups, and computers.

  • Remote Desktop Protocol (RDP): A proprietary protocol by Microsoft that allows users to connect to a remote computer over a network connection.

  • PowerShell: A scripting and automation framework by Microsoft that is built on the .NET framework.

  • ICMPv4: Internet Control Message Protocol version 4 is used for error reporting and diagnostics in IPv4 networks, such as enabling the ping command.

  • DNS (Domain Name System): A hierarchical and decentralized naming system for computers and other resources connected to the internet or a private network.

List of Prerequisites

  • Microsoft Azure Account

  • Active Azure Subscription

Installation Steps

1. Set up Resources in Azure

In this section, we will create a Domain Controller VM (Windows Server 2022) named "DC-1" and a Client VM (Windows 10) named "Client-1" in Microsoft Azure.

Create the Domain Controller VM

  1. In the Azure portal, click on "Create a resource."

  2. Search for "Windows Server 2022" and select it.

  3. Click "Create" to start configuring the VM.

  4. Fill in the required information and name the VM "DC-1."

  5. For the username, enter "dc_user."

  6. Take note of the Resource Group and Virtual Network (Vnet) created during this process.

  7. Click "Review + Create" and then "Create" to deploy the VM.

Set the Domain Controller's NIC Private IP Address to Static

  1. In the Azure portal, select the "DC-1" VM.

  2. Click "Networking" from the menu on the left.

  3. Click on the link next to "Network Interface" to access the NIC settings.

  4. Select "IP configurations" from the menu on the left.

  5. Click on the Private IP listed as "(Dynamic)".

  6. Toggle the switch from Dynamic to Static and click "Save."

Create the Client VM

  1. In the Azure portal, click on "Create a resource."

  2. Search for "Windows 10" and select it.

  3. Click "Create" to start configuring the VM.

  4. Fill in the required information and name the VM "Client-1."

  5. For the username, enter "c_user."

  6. Use the same Resource Group and Vnet created during the creation of "DC-1."

  7. Click "Review + Create" and then "Create" to deploy the VM.

Verify Both VMs are in the Same Vnet

  1. In the Azure portal, go to "Network Watcher."

  2. Check the topology to ensure that both "DC-1" and "Client-1" are in the same Vnet.

2. Ensure Connectivity between the Client and Domain Controller

In this section, we will verify the connectivity between "Client-1" and the Domain Controller "DC-1" by using the ping command.

Log in to Client-1 using Remote Desktop

  1. Find the public IP address of "Client-1" in the Azure portal.

  2. Use Remote Desktop to connect to "Client-1" using its public IP address.

  3. Open Command Prompt or PowerShell.

  4. Ping the IP address of "DC-1"

Log in to the Domain Controller and Enable ICMPv4

  1. Find the public IP address of "DC-1" in the Azure portal.

  2. Use Remote Desktop to connect to "DC-1" using its public IP address.

  3. Open Windows Defender Firewall by searching for it in the taskbar or by typing wf.msc.

  4. Navigate to "Inbound Rules."

  5. Sort the rules by protocol and locate the rules with the ICMPv4 protocol.

  6. Find the "Core Networking Diagnostics - ICMP Echo Request (ICMPv4-In)" rules for both "private" and "domain" profiles.

  7. Right-click on each rule and select "Enable Rule."

Check Connectivity on Client-1

  1. Return to the "Client-1" Remote Desktop session.

  2. Verify that the ping command is now successful and receiving replies from "DC-1."

3. Install Active Directory

In this section, we will install Active Directory Domain Services on the Domain Controller "DC-1" and set up a new forest.

Verify You're on the Domain Controller

  1. Log in to "DC-1" using Remote Desktop, if not already logged in.

  2. Open Command Prompt or PowerShell.

  3. Type hostname and ensure the output is "DC-1."

Install Active Directory Domain Services

  1. Open the "Server Manager" from the Start menu.

  2. From the Server Manager Dashboard, click "Add Roles and Features."

  3. Click "Next" until you see a list of services.

  4. Select "Active Directory Domain Services" and click "Add Features."

  5. Click "Next" and then "Install."

Promote DC-1 as a Domain Controller

  1. In the upper right-hand corner of the screen, click the yellow caution icon indicating a notification.

  2. Click the link that says "promote this server to a domain controller."

  3. Select "Add a new forest."

  4. Enter the Root Domain Name: newroot.com

  5. Set the Directory Service Restore Mode (DSRM) Password to "Password1."

  6. Click "Next" through the remaining steps, waiting for the provisioning process to complete.

Restart and Log Back into DC-1

  1. If prompted to restart, do so. If not, manually restart "DC-1" once the configuration process is complete.

  2. Log back into "DC-1" using Remote Desktop with the following credentials: newroot.com\dc_user

  3. Confirm that the public IP address of "DC-1" has not changed.

Allow Time for Reconfiguration

  1. Give the Domain Controller some time to finish reconfiguring.

  2. Be patient as logging in may take a while.

4. Create an Admin and Normal User Account in Active Directory

In this section, we will create Organizational Units (OUs) and user accounts in Active Directory.

Create Organizational Units

  1. Open "Active Directory Users and Computers" from the Windows Start menu.

  2. Right-click on your domain (newroot.com) and select "New" > "Organizational Unit."

  3. Name the Organizational Unit "_EMPLOYEES."

  4. Repeat steps 2-3 to create another OU named "_ADMINS."

  5. Right-click on newroot.com and select "Refresh." Both OUs should now be visible in the list.

Create a New Admin User Account

  1. Click on the "_ADMINS" OU in the left menu.

  2. Right-click inside the right window and select "New" > "User."

  3. Fill out the "New Object - User" form:

    • First Name: Babs

    • Last Name: Gordon

    • User logon name: babs_admin (@newroot.com)

  4. Uncheck "User must change password at next logon."

  5. Check "The password never expires."

Add dc_user to the "Domain Admins" Security Group

  1. Right-click on "Babs Gordon" in the right window and select "Properties."

  2. Click the "Member Of" tab and then click "Add."

  3. Type "domain" in the "Enter the object names to select" text box and click "Check Names."

  4. Select "Domain Admins" and click "OK."

  5. Click "Apply" and "OK."

Verify the User and Computer

  1. Log out of the Remote Desktop connection to "DC-1" and log back in using the "newroot.com\dc_user" account.

  2. Open Command Prompt and type the following commands:

    • whoami (It should display "mydomain\dc_user.")

    • hostname (It should display "DC-1.")

  3. Type exit to close Command Prompt.

5. Join Client-1 to Your Domain (newroot.com)

In this section, we will join Client-1 to the newroot.com domain.

Login to Client-1

  1. Login to Client-1 using Remote Desktop and its Public IP address with the original local admin account.

  2. Confirm the user and computer using Command Prompt by typing whoami and hostname.

  3. Type ipconfig /all in Command Prompt to check the DNS Servers. It should display a Public IP address.

Set Client-1's DNS Settings

  1. From the Azure Portal, confirm DC-1's Private IP address from its VM page under "Networking."

  2. Open the VM page for Client-1, select "Networking," and click on the Network Interface link.

  3. In the new window, click on "DNS Servers" under the Settings header in the left menu. Choose "Custom."

  4. Enter DC-1's Private IP address into the "DNS server" field and click "Save."

  5. Restart Client-1 from the Azure portal by going to its VM settings page and clicking on the "Restart" link.

Login to Client-1 and Verify DNS Settings

  1. Use Remote Desktop to log into Client-1 using its Public IP address and Client-1 credentials.

  2. Open Command Prompt and execute the commands whoami, hostname, and ipconfig /all.

  3. Verify that the DNS Servers now show DC-1's Private IP address instead of the previously displayed Public IP address.

Connect Client-1 to the Domain

  1. Right-click the Windows Start button and select "System."

  2. Click "Rename this PC (advanced)" and then the "Computer Name" tab.

  3. Click "Change…" and select the "Domain" radio button.

  4. Enter "newroot.com" and click "OK."

  5. A window will open asking for a user with admin privileges. Login with "newroot.com\dc_user."

  6. Close all windows and restart Client-1.

6. Set Up Remote Desktop for Non-Administrative Users on Client-1

In this section, we will enable Remote Desktop access for non-administrative users on Client-1.

Log in and Open System Properties

  1. Log into Client-1 as newroot.com\dc_user using Remote Desktop.

  2. Right-click on the Start menu, select "System," and then click "Remote Desktop" on the right.

Add Domain Users to Remote Desktop Users

  1. Under "User Accounts," click "Select users that can remotely access this PC."

  2. Click "Add."

  3. Under "Enter object names to select," type "domain users," click "Check Names," and then click "OK."

Now, non-administrative users can log into Client-1 remotely.

Check Active Directory Users on DC-1

  1. Using Remote Desktop on your local device, connect to DC-1 with Babs Gordon's credentials.

  2. Open Active Directory Users and Computers (ADUC).

  3. Navigate to newroot.com > Users > Domain Users > Members Tab. You should see all users with access.

7. Create Additional Users and Test Login on Client-1

In this section, we will create multiple users, test login to Client-1, and simulate unlocking an account and resetting a password.

Create Additional Users

  1. Log in to DC-1 as dc_user.

  2. Open PowerShell ISE as an administrator (search for PowerShell ISE, right-click, and select "Run as Administrator").

  3. Create a new file and paste the contents of the script written by Josh Madakor (lotated at https://github.com/joshmadakor1/AD_PS/blob/master/Generate-Names-Create-Users.ps1). The script creates additional users.

  4. Run the script.

Verify New Users

  1. Open Active Directory Users and Computers (ADUC).

  2. Refresh the _EMPLOYEE OU and observe the new accounts.

Log in to Client-1 with a New User Account

  1. Sign out of Client-1 if logged in.

  2. Log in to Client-1 with a new user account (e.g., newroot.com\bow.pah) and password "Password1."