Edit

Prepare Active Directory for Azure Local deployment

Applies to: Hyperconverged deployments of Azure Local

This article explains how to prepare Active Directory for Azure Local deployment, including creating the required OU and permissions to help avoid deployment issues.

Active Directory requirements for Azure Local include:

  • A dedicated organizational unit (OU).
  • Group policy inheritance that's blocked for the applicable Group Policy Object (GPO).
  • A user account that has all rights to the OU in Active Directory.

Note

  • You can use your existing process to meet the preceding requirements. The script used in this article is optional and is provided to simplify the preparation.
  • When you block group policy inheritance at the OU level, GPOs with enforced option enabled aren't blocked. If applicable, ensure that these GPOs are blocked by using other methods, such as a Windows Management Instrumentation (WMI) Filter. Apply the WMI filter to any enforced GPOs, to exclude machine computer accounts for your Azure Local instances from applying the GPOs. Once the filter is applied, enforced GPOs don't apply, based on the logic defined in the WMI filter.

To manually assign the required permissions for Active Directory, create an OU, and block GPO inheritance, see Custom Active Directory configuration for your Azure Local.

Prerequisites

Deployment user requirements

The Lifecycle Manager (LCM) deployment user account must meet the following Active Directory requirements for Azure Local deployment and lifecycle management.

  • Interactive logon. The deployment user must be allowed to log on interactively.
  • Log on as a batch job. The deployment user must have the Log on as a batch job user rights. Ensure that the default domain policy doesn't deny this right, or explicitly grant it to the deployment user account.

Active Directory preparation module

To prepare Active Directory for Azure Local deployments, use the New-HciAdObjectsPreCreation cmdlet from the AsHciADArtifactsPreCreationTool PowerShell module. Here are the required parameters for the cmdlet:

Parameter Description
-AzureStackLCMUserCredential A new user object that you create with the appropriate permissions for deployment. This account is the same as the user account used by the Azure Local deployment.
Make sure that you provide only the username. Don't include the domain name in the name, for example, contoso\username.
The password must conform to the length and complexity requirements. Use a password that's at least 14 characters long. The password must contain: a lowercase character, an uppercase character, a numeral, and a special character.
For more information, see password complexity requirements.
The name can't be exactly the same as the local admin user.
You can't use admin as the username. The name must be unique for each Azure Local instance (deployment).
-AsHciOUName A new Organizational Unit (OU) to store all the objects for the Azure Local deployment. This OU blocks existing group policies and inheritance to ensure there's no conflict of settings. Specify the OU as the distinguished name (DN). For more information, see the format of Distinguished Names.

Note

  • The -AsHciOUName path doesn't support the following special characters anywhere within the path: &,",',<,>.
  • After the deployment is complete, moving the computer objects to a different OU isn't supported.

Prepare Active Directory

When you prepare Active Directory, you create a dedicated Organizational Unit (OU) to place the Azure Local related objects such as deployment user.

To create a dedicated OU, follow these steps:

  1. Sign in to a computer that is joined to your Active Directory domain.

  2. Run PowerShell as administrator.

  3. Run the following command to create the dedicated OU.

    New-HciAdObjectsPreCreation -AzureStackLCMUserCredential (Get-Credential) -AsHciOUName "<OU name or distinguished name including the domain components>"

  4. When prompted, provide the username and password for the deployment.

    1. Make sure that only the username is provided. The name shouldn't include the domain name, for example, contoso\username. The username must be 1–20 characters long, contain only letters, numbers, hyphens, and underscores, and can't start with a hyphen or number.
    2. Make sure that the password meets complexity and length requirements. Use a password that is at least 14 characters long and contains: a lowercase character, an uppercase character, a numeral, and a special character.

    Here's a sample output from a successful completion of the script:

    PS C:\work> $password = ConvertTo-SecureString '<password>' -AsPlainText -Force
PS C:\work> $user = "lcmuser"
PS C:\work> $credential = New-Object System.Management.Automation.PSCredential ($user, $password)
PS C:\work> New-HciAdObjectsPreCreation -AzureStackLCMUserCredential $credential -AsHciOUName "OU=ms309,DC=PLab8,DC=nttest,DC=microsoft,DC=com"    
PS C:\work>

  5. Verify that the OU is created. If using a Windows Server client, go to Server Manager > Tools > Active Directory Users and Computers.

  6. An OU with the specified name is created. This OU contains the new LCM deployment user account.

    Screenshot of Active Directory Computers and Users window.

Note

If you're repairing a single machine, don't delete the existing OU. If the machine volumes are encrypted, deleting the OU removes the BitLocker recovery keys.

Considerations for large scale deployments

The LCM user account is used during servicing operations, such as applying updates via PowerShell. This account is also used when performing domain join actions against your AD, such as repairing a node or adding a node. This requires the LCM user identity having delegated permissions to add computer accounts to the target OU in the on-premises domain.

During the cloud deployment of Azure Local, the LCM user account is added to the local administrator's group of the physical nodes. The LCM account username must be unique for each Azure Local instance (deployment). To further mitigate the risk of a compromised LCM user account, we also recommend using a dedicated LCM user account with a unique password for each Azure Local instance. This recommendation limits the scope and impact of a compromised LCM account to a single instance.

We recommend that you follow these best practices for OU creation. These recommendations are automated when you use the New-HciAdObjectsPreCreation cmdlet to Prepare Active Directory.

  • For each Azure Local instance, create an individual OU within Active Directory. This approach helps manage the LCM user account, the computer accounts of the physical machines, and the cluster name object (CNO) within the scope of a single OU for each instance.
  • When deploying multiple instances at-scale, for easier management:
    • Create an OU under a single parent OU for each instance.
    • Enable the Block Inheritance option at both the parent OU and sub OU levels.
    • To apply a GPO to all Azure Local instances, such as for nesting a domain group in the local administrators group, link the GPO to the parent OU and enable the Enforced option. By doing this, you apply the configuration to all sub OUs, even with Block Inheritance enabled.

If your organization's processes and procedures require deviations from these recommendations, they're allowed. However, it's important to consider the security and manageability implications of your design taking these factors into consideration.

Next steps

  • Last updated on