Phase 01: Active Directory Preparation
DOCUMENT CATEGORY: Runbook SCOPE: Active Directory domain preparation PURPOSE: Configure AD infrastructure for Azure Local MASTER REFERENCE: Microsoft Learn - AD Prerequisites
Status: Active
Overview
Prepare the Active Directory domain infrastructure required for Azure Local deployment. This stage establishes the foundational identity services, organizational structure, and security configuration needed for cluster operations.
What This Stage Accomplishes
- Active Directory organizational preparation
- Organizational Unit (OU) structure creation
- Security groups for access control
- DNS configuration for cluster nodes
- Service and administrative accounts
- Group assignments and permissions
Prerequisites
- Windows Server domain controllers deployed
- Domain admin access
- DNS server configuration
- Azure Local requirements documentation
Active Directory Preparation Steps
Task 1: OU Creation & Pre-Creation Artifacts
Create the foundational OU structure in Active Directory.
- Create MGMT OU on root domain
- Create sub-OUs: Admins, Operations, Security Groups, Servers, Services
- Create Clusters AzureLocal OUs
Task 2: Security Groups
Create 7 security groups for role-based access control of Azure Local operations. Group names follow the convention SG-{org_prefix}-{cluster_id}-AZL-{role}, driven by active_directory.security_groups.org_prefix and cluster_id in variables.yml.
| YAML Key | Example Name | Node Assignment |
|---|---|---|
azure_local_admins | SG-IIC-clus01-AZL-Administrators | Administrators |
operations | SG-IIC-clus01-AZL-Operations | Remote Management Users, Remote Desktop Users |
read_only | SG-IIC-clus01-AZL-ReadOnly | Remote Desktop Users, Performance Monitor Users, Event Log Readers |
wac_admins | SG-IIC-clus01-AZL-WAC-Administrators | WAC server only |
wac_users | SG-IIC-clus01-AZL-WAC-Users | WAC server only |
hyperv_admins | SG-IIC-clus01-AZL-HyperV-Administrators | Hyper-V Administrators, Remote Management Users |
storage_admins | SG-IIC-clus01-AZL-Storage-Administrators | Administrators |
Task 3: DNS Node A Records
Configure DNS A records for cluster node resolution.
- Create forward and reverse lookup zones
- Configure A records for cluster nodes
- Set up CNAME records for management endpoints
- Verify DNS resolution
Task 4: Service & Admin Accounts
Create supplemental service and administrative user accounts.
- Break-glass emergency admin account
- Optional gMSA (Group Managed Service Account) scaffold
- Configure account properties and secure password storage
Note: The LCM deployment account is created in Task 01.
Task 5: Group Assignments
Assign users and service accounts to security groups.
- Add users to appropriate security groups
- Configure group memberships
- Assign group permissions
- Validate group policies
Validation Checklist
- Active Directory domain deployed and functional
- OU structure created and verified
- All security groups created
- DNS records configured and resolving
- Service and admin accounts created
- Group assignments completed
- Domain controller replication verified
Next Steps
After completing Active Directory preparation, proceed to Phase 09 - Enterprise Network Readiness Validation to validate network prerequisites.
Support Resources
- Microsoft Azure Local AD Requirements
- Active Directory Best Practices
- Contact Azure Local Cloud Azure Local Cloud team for assistance
Navigation
| ← Part 3: On-Premises Readiness | ↑ Part 3: On-Premises Readiness | Task 01: OU Creation → |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2025-06-01 | Azure Local Cloud Azure Local Cloudnology | Initial document |
| 1.1 | 2026-03-03 | Azure Local Cloud Azure Local Cloudnology | Standardized runbook format |