Step-by-Step: Auto-Provision a New Active Directory Domain in the Azure Cloud using the VM Agent Custom Script Extension
The Azure Virtual Machine Agent Custom Script Extension allows you to download custom PowerShell scripts inside Azure VMs and execute them as part of the post-provisioning process. Custom Script Extensions provide a great deal of flexibility for customizing the provisioning of new VMs without the need to maintain a distinct custom VM image for every individual workload scenario.
In this article, we’ll step through the process of using the Custom Script Extension to auto-provision a new Active Directory Domain Controller in a new AD Forest on a Microsoft Azure Virtual Network.
Task 1: Getting Started
You can leverage the Custom Script Extension when provisioning Virtual Machines from the Azure Management Portal as well as from within the Azure PowerShell Module. But first, you’ll need an active Azure subscription …
- SIGN-UP: Free Microsoft Azure Subscription
Once you have an active Azure subscription, you can head over to the Microsoft Azure Management Portal to provision and manage Azure cloud resources.
Task 2: Provision an Azure Virtual Network
Before building a new Active Directory Domain Controller in the Azure cloud, we’ll need to setup a Virtual Network that defines an IP address space and subnet over which this DC will communicate.
We can quickly define a new Virtual Network from the Azure Management Portal by clicking New | Network Services | Virtual Network | Quick Create.
Defining a new Virtual Network in the Azure Cloud
Tip! When defining this new Virtual Network, be sure that the DNS Server field is set to None (for now).
Ultimately, our new Active Directory DC will serve as a DNS Server on this Virtual Network, but if we configure the DNS Server field now, the VM that will host AD will not initially be able to successfully perform DNS name resolution – that’s because DNS is not installed inside this VM until the AD/DNS configuration process has completed after the Custom Script execution completes. When the DNS Server field for a Virtual Network is set to None, the Azure Virtual Network automatically supplies a DNS server that can perform public DNS name resolution.
We’ll come back to configuring the Virtual Network with a DNS Server value at the end of this article.
Task 3: Create a Custom Script to Auto-Provision AD and DNS
When provisioning a new VM, we can supply a custom script that will be downloaded and executed inside the VM as part of its post-provisioning process by the VM Agent Custom Script Extension. We can create this script and save it locally as a PowerShell script named adforest.ps1.
$domainName = $args[0]
$password = $args[1]
Set-DnsClient `
-InterfaceAlias "Ethernet*" `
-ConnectionSpecificSuffix $domainName
Install-WindowsFeature `
-Name AD-Domain-Services `
-IncludeManagementTools$securePassword = ConvertTo-SecureString $password `
-AsPlainText `
-ForceInstall-ADDSForest `
-DomainName $domainName `
-SafeModeAdministratorPassword $securePassword `
-Forceadforest.ps1 - Sample Script to Auto-Provision AD and DNS
Note that the VM Agent Custom Script Extension will execute this script during the VM post-provisioning process using NTAUTHORITY\SYSTEM built-in credentials. These credentials will work fine for provisioning Active Directory, but if you have a custom script that will be auto-provisioning other application services, you may need to define the script to execute with alternate credentials. We’ll cover these steps in a future scenario.
Task 4: Provision an Azure Virtual Machine
Using the Microsoft Azure Management Portal, we’ll provision a new Virtual Machine on the Virtual Network defined in Task 2 above. As part of this provisioning process, we’ll specify the name of our custom script defined in Task 3 and pass the parameter values for the Active Directory Domain Name and Safe Mode Admin Password to be configured.
- In the Microsoft Azure Management Portal, click New | Compute | Virtual Machine | From Gallery.
- On the Choose an Image page, select the Windows Server 2012 R2 Datacenter platform image.
Click
to continue.
- On the Virtual Machine Configuration page, specify a unique Virtual Machine Name and local Admin user name and password.
Click
to continue.
- On the next page, select the Azure Virtual Network defined in Task 2.
Click
to continue.
- On the last page, check the Custom Script option.
Click the From Local button and select the custom script filename saved in Task 3.
Specify the argument values for Active Directory domain and Safe Mode Admin Password.
Click
to begin the virtual machine provisioning process.
After the Virtual Machine is provisioned from the selected platform image, it will be placed into a Running state. Once in this state, the custom script will be executed to auto-provision DNS and Active Directory. After the custom script completes, the VM will automatically restart as your first domain controller on the Azure virtual network! Note that the DNS and Active Directory provisioning process can take 5-to-10 minutes to complete before the VM is restarted.
Tip! Custom script extension log file output is written inside the VM in the following folder location:
C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension\1.1
Task 5: Add DNS Server settings on Azure Virtual Network
After the first VM is provisioned as a DNS server and Active Directory domain controller, you can configure the Azure Virtual Network to use the internal IP of this VM for DNS name resolution.
- In the Azure Management Portal, click Networks on the side navigation panel, and then click the name of the Virtual Network defined in Task 2.
- On the Virtual network details page, click the Configure tab.
Add a new entry in the DNS Servers list that points to the internal IP address of the VM provisioned in Task 4.
Click the Save button on the bottom toolbar to save this change.
Now that the Azure Virtual Network is configured with DNS Server information, additional VM’s that are provisioned on this same Virtual Network will automatically use these DNS Server settings for hostname resolution.
Continue your Hybrid Cloud learning!
In this article, we’ve used the Azure VM Agent Custom Script Extension to quickly provision a new Active Directory Domain on an Azure Virtual Network. In future articles, we’ll look at leveraging the Custom Script Extension to provision other workloads as well.
To continue your learning on Microsoft Azure and Hybrid Cloud, be sure to join our FREE Hybrid Cloud study track in our online Early Experts study group!