Skip to main content
Version: Next

Task 01: Configure Active Directory Domain Services

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: AD DS installation and configuration PURPOSE: Establish the management domain for Azure Local infrastructure MASTER REFERENCE: Microsoft Learn - AD DS

Status: Active

Overview

This task installs Active Directory Domain Services on the primary DC (dc01), promotes it to a domain controller creating a new forest, then promotes the secondary DC (dc02) as a replica. Afterwards, the OU structure, security groups, and service accounts are configured.

Task Classification

Execution Target: Windows Server (on-VM configuration) Tab Profile: 4 tabs — Server Manager · Direct Script (On Node) · Orchestrated Script (Mgmt Server) · Standalone Script

VM Restarts Required

Promoting a server to a domain controller requires a reboot. The VM will restart automatically.

Configuration Summary

SettingValueSource
Domain FQDNazrl.mgmtactive_directory.domain.fqdn
NetBIOSMGMTactive_directory.ad_netbios_name
Forest LevelWindows Server 2025Default
Domain LevelWindows Server 2025Default
DSRM PasswordKey Vaultkeyvault://<vault>/recovery-admin-password
Primary DCdc01azure_vms.dc01.name
Replica DCdc02azure_vms.dc02.name

OU Structure

DC=azrl,DC=mgmt
└── OU=MGMT
 ├── OU=Computers
 ├── OU=Servers
 │ └── OU=AzureLocal
 │ └── OU=Clusters
 │ └── OU=azl-demo-clus01
 └── OU=ServiceAccounts

Prerequisites

  • Management VMs deployed — dc01 and dc02 running (via CI/CD Pipeline or Manual Task 11)
  • DSRM password stored in Key Vault
  • Domain name confirmed in Planning & Discovery
  • Bastion access to VMs verified

Variables from variables.yml

VariableConfig PathExample (IIC)
Domain FQDNactive_directory.domain.fqdnazrl.mgmt
NetBIOS Nameactive_directory.ad_netbios_nameMGMT
Primary DCazure_vms.dc01.namevm-azrldc-azl-eus-01
Replica DCazure_vms.dc02.namevm-azrldc-azl-eus-02
DSRM Passwordkeyvault://<vault>/recovery-admin-password(Key Vault)

Single Subscription Model

Landing Zone Placement

FieldValueConfig Path
Target VMsdc01, dc02azure_vms.dc01, azure_vms.dc02
Domain FQDNazrl.mgmtactive_directory.domain.fqdn
NetBIOSMGMTactive_directory.ad_netbios_name

Execution Options

Server Manager

When to use: Single deployment, prefer GUI-based configuration

Procedure — Primary DC (dc01)

  1. Connect to dc01 via Bastion (Task 05)

  2. Install AD DS Role:

  • Server Manager → Add Roles and Features → Next through wizard
  • Select Active Directory Domain Services
  • Install prerequisites → Install
  1. Promote to Domain Controller:
  • Click notification flag → Promote this server to a domain controller | Field | Value | Source | |-------|-------|--------| | Deployment type | Add a new forest | — | | Root domain name | azrl.mgmt | active_directory.domain.fqdn | | Forest functional level | Windows Server 2025 | — | | Domain functional level | Windows Server 2025 | — | | DNS server | Checked | — | | Global Catalog | Checked | — | | DSRM password | From Key Vault | keyvault://<vault>/recovery-admin-password |

  1. NetBIOS Name: Verify MGMT is auto-populated from active_directory.ad_netbios_name

  2. Complete wizard → Server restarts automatically

Procedure — Replica DC (dc02)

  1. Connect to dc02 via Bastion

  2. Set DNS: Point dc02 primary DNS to dc01's IP (azure_vms.dc01.private_ip)

  3. Install AD DS Role: Same as Step 2

  4. Promote as Replica: | Field | Value | |-------|-------| | Deployment type | Add a domain controller to an existing domain | | Domain | azrl.mgmt | | Credential | Domain Admin from dc01 | | DNS server | Checked | | Global Catalog | Checked | | DSRM password | From Key Vault |

  5. Server restarts automatically

Procedure — OU and Groups

  1. Create OU Structure on dc01:
  • Active Directory Users and Computers → Create OUs per the OU Structure diagram above

  1. Create Security Groups: Create each group from active_directory.security_groups.*

  2. Update VNet DNS: Update the VNet DNS servers to point to both DCs' private IPs

Validation

  • Both DCs responding to dcdiag /v
  • DNS resolution working for domain FQDN
  • OU structure matches config
  • Security groups created
  • VNet DNS updated

Validation

  • Both DCs healthy: dcdiag /v passes all tests
  • DNS resolution: Resolve-DnsName azrl.mgmt
  • Replication: repadmin /replsummary shows 0 failures
  • OU structure created per config
  • Security groups present

CAF/WAF Landing Zone Model

AD DS configuration is identical regardless of landing zone model — it runs on the VMs in the Management subscription.

Landing Zone Placement

FieldValueConfig Path
SubscriptionManagement subscriptionazure.subscriptions.management.id
Target VMsdc01, dc02 in spoke VNetazure_vms.dc01, azure_vms.dc02

Execution Options

The execution is the same as Single Subscription — the scripts run on the VMs regardless of which subscription they reside in. Use Bastion from the Connectivity subscription to access the VMs.

Troubleshooting

IssueRoot CauseRemediation
Promotion fails — DNS errorVNet DNS not pointing to dc01Set VNet DNS to dc01 IP before promoting dc02
Replication failureFirewall between DCsEnsure NSG allows all traffic between DC IPs
DSRM password rejectedComplexity requirementsUse 12+ characters with mixed case, numbers, symbols
dc02 cannot find domainDNS not resolving dc01Set dc02 primary DNS to dc01 private IP
OU creation failsInsufficient permissionsRun as Domain Admin on dc01
PreviousUpNext
VM Configuration OverviewPhase 04: Management InfrastructureTask 02: Configure Utility Server

Version Control

  • Created: 2025-09-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-20 by Hybrid Cloud Solutions
  • Version: 5.0.0
  • Version: 4.0.0
  • Tags: azure-local, active-directory, domain-controller, identity
  • Keywords: AD DS, Active Directory, domain controller, DSRM, forest, DNS, OU structure
  • Author: Hybrid Cloud Solutions