1
00:00:01,240 --> 00:00:02,300
In this demonstration,

2
00:00:02,300 --> 00:00:05,310
we're going to look at trust relationships in Active Directory,

3
00:00:05,310 --> 00:00:09,270
but I want to start by sweeping up some shavings from the previous module,

4
00:00:09,270 --> 00:00:13,690
and that is, I didn't show you how to promote a domain controller as an Azure VM,

5
00:00:13,690 --> 00:00:15,770
as opposed to an on‑premises VM.

6
00:00:15,770 --> 00:00:16,100
Now,

7
00:00:16,100 --> 00:00:19,990
really there's nothing to show in terms of the procedure is exactly the same.

8
00:00:19,990 --> 00:00:23,210
As long as you've extended your local environment into Azure with

9
00:00:23,210 --> 00:00:25,750
a Site‑to‑Site VPN or an ExpressRoute link,

10
00:00:25,750 --> 00:00:26,690
you're good to go,

11
00:00:26,690 --> 00:00:29,850
and then you can deploy your Windows Server VMs to

12
00:00:29,850 --> 00:00:34,000
the Azure VNet or virtual network, and install the server role,

13
00:00:34,000 --> 00:00:35,810
promote the machine just like you would.

14
00:00:35,810 --> 00:00:38,920
But the main catch that I need you to be aware of is configuring

15
00:00:38,920 --> 00:00:42,240
DNS and making sure that in your virtual network,

16
00:00:42,240 --> 00:00:45,630
those servers and any other machines that are going to be involved in

17
00:00:45,630 --> 00:00:49,370
domain communications have the DNS server IP addresses.

18
00:00:49,370 --> 00:00:52,300
So here we're looking in my Azure subscription at a

19
00:00:52,300 --> 00:00:54,260
VNet I have called cloud‑vnet,

20
00:00:54,260 --> 00:00:58,800
and I do have a domain controller deployed called rootdc3,

21
00:00:58,800 --> 00:01:02,590
as you can see, that's consuming an IP address in this environment.

22
00:01:02,590 --> 00:01:06,630
And what you do is you go to the DNS server settings right here,

23
00:01:06,630 --> 00:01:09,540
and instead of using the Azure provided DNS,

24
00:01:09,540 --> 00:01:12,070
you override that by selecting Custom,

25
00:01:12,070 --> 00:01:14,650
and this is where you'll populate the IP addresses.

26
00:01:14,650 --> 00:01:17,950
If you're Site‑to‑Site, VPN, or ExpressRoute,

27
00:01:17,950 --> 00:01:20,220
you can use private non‑internet routable,

28
00:01:20,220 --> 00:01:24,190
so you would add the domain controller IP addresses on‑prem,

29
00:01:24,190 --> 00:01:28,050
on the local side, as well as your cloud‑hosted VM,

30
00:01:28,050 --> 00:01:30,440
you would need to populate its address here.

31
00:01:30,440 --> 00:01:34,430
So notice that you're configuring the virtual network with those

32
00:01:34,430 --> 00:01:37,590
Active Directory domain controller DNS settings.

33
00:01:37,590 --> 00:01:41,700
You're not RDPing into the VM and configuring the network properties.

34
00:01:41,700 --> 00:01:42,990
Never make that mistake.

35
00:01:42,990 --> 00:01:46,590
You want to make sure that your TCP/IP configuration in Azure

36
00:01:46,590 --> 00:01:49,270
is always done in the Azure control plane.

37
00:01:49,270 --> 00:01:51,870
Now you can actually configure custom DNS.

38
00:01:51,870 --> 00:01:55,430
If you don't want to do it at the VNet level or if you do it at the VNet level,

39
00:01:55,430 --> 00:02:00,410
you can continue to refine because remember that your virtual machines all

40
00:02:00,410 --> 00:02:05,100
have their TCP/IP defined in the network interface resource.

41
00:02:05,100 --> 00:02:08,470
Now we could take a look for instance at this rootdc2 network

42
00:02:08,470 --> 00:02:11,230
interface and note that there's a DNS server here,

43
00:02:11,230 --> 00:02:15,890
and the default setting is to inherit the DNS from the virtual network settings,

44
00:02:15,890 --> 00:02:19,440
but you can override that if you want to or if you need to.

45
00:02:19,440 --> 00:02:23,840
Another thing to consider is the private IP of your Azure domain controller.

46
00:02:23,840 --> 00:02:26,650
You don't want a dynamic private IP address.

47
00:02:26,650 --> 00:02:30,340
You don't want that private IP to change when you restart the domain

48
00:02:30,340 --> 00:02:33,110
controller or shut it down and turn it back on,

49
00:02:33,110 --> 00:02:35,120
so in order to do static addressing,

50
00:02:35,120 --> 00:02:37,840
you do that again at the network interface level.

51
00:02:37,840 --> 00:02:42,640
We come to IP configurations, we select the default IP configuration,

52
00:02:42,640 --> 00:02:44,790
and then for your private IP address,

53
00:02:44,790 --> 00:02:47,610
you'll want to flip the switch from Dynamic to Static,

54
00:02:47,610 --> 00:02:51,380
choose a non‑conflicting private IP address in that subnet,

55
00:02:51,380 --> 00:02:52,150
hit Save,

56
00:02:52,150 --> 00:02:55,230
and you will have to restart the virtual machine for

57
00:02:55,230 --> 00:02:57,080
that VM to pick up the change.

58
00:02:57,080 --> 00:03:00,680
Now another Azure‑specific idea I want to go with before

59
00:03:00,680 --> 00:03:03,070
I continue this lesson's material,

60
00:03:03,070 --> 00:03:07,110
I want to make you aware of the Azure QuickStart templates repository at GitHub.

61
00:03:07,110 --> 00:03:09,860
You can check the exercise files for links on this.

62
00:03:09,860 --> 00:03:13,360
There's a public marketing page where you could easily look up templates,

63
00:03:13,360 --> 00:03:16,010
or you could clone the entire repo like I did.

64
00:03:16,010 --> 00:03:19,610
And there are some Azure Resource Manager deployment templates in

65
00:03:19,610 --> 00:03:22,330
there that automate domain controller placement.

66
00:03:22,330 --> 00:03:26,160
Specifically in the repo, if you go under application‑workloads,

67
00:03:26,160 --> 00:03:29,400
active‑directory, active‑directory‑new‑domain,

68
00:03:29,400 --> 00:03:32,060
this is an ARM template that walks you through,

69
00:03:32,060 --> 00:03:36,360
and what it's using is PowerShell Desired State Configuration.

70
00:03:36,360 --> 00:03:40,160
So what it's automating is the deployment of the virtual machine,

71
00:03:40,160 --> 00:03:43,460
and notice that the parameters file, let me bring that up a little bit,

72
00:03:43,460 --> 00:03:45,950
you need to specify your default credentials.

73
00:03:45,950 --> 00:03:49,140
And I would strongly recommend instead of doing value here for

74
00:03:49,140 --> 00:03:51,640
your admin password and your parameter file,

75
00:03:51,640 --> 00:03:54,560
that you store your admin password in Azure Key Vault,

76
00:03:54,560 --> 00:03:57,140
and instead of doing a value in your JSON,

77
00:03:57,140 --> 00:04:01,580
you can actually do a reference, specifically to an Azure keyVault,

78
00:04:01,580 --> 00:04:04,720
and you specify the resource ID to the keyVault,

79
00:04:04,720 --> 00:04:06,360
and then the name of the secret.

80
00:04:06,360 --> 00:04:09,680
And as long as you or whoever runs the deployment has

81
00:04:09,680 --> 00:04:12,440
permissions in the Key Vault to read out that key,

82
00:04:12,440 --> 00:04:15,790
this means that you can pass credentials in your deployment templates

83
00:04:15,790 --> 00:04:18,710
without ever exposing the plaintext of those secrets.

84
00:04:18,710 --> 00:04:21,160
But anyway, the magic here, like I said,

85
00:04:21,160 --> 00:04:24,650
is that we're injecting a PowerShell script here that's

86
00:04:24,650 --> 00:04:27,940
actually a desired state configuration file.

87
00:04:27,940 --> 00:04:30,840
And as you can see, if you've worked with PowerShell DSC,

88
00:04:30,840 --> 00:04:34,740
this is a configuration management platform that's built into PowerShell,

89
00:04:34,740 --> 00:04:37,540
and this is responsible for, as you can see here,

90
00:04:37,540 --> 00:04:41,100
ensuring that the DNS server role is installed,

91
00:04:41,100 --> 00:04:43,910
configured, and available, Dnstools,

92
00:04:43,910 --> 00:04:46,420
and then eventually we've got AD‑Domain‑Services,

93
00:04:46,420 --> 00:04:50,440
and there's some additional nested templates in here

94
00:04:50,440 --> 00:04:52,910
that deal with the rest of the process.

95
00:04:52,910 --> 00:04:53,330
Actually,

96
00:04:53,330 --> 00:04:57,010
you can do the domain controller promotion and including

97
00:04:57,010 --> 00:05:00,870
the appropriate RSAT tools all in the context of this

98
00:05:00,870 --> 00:05:02,970
Desired State Configuration script.

99
00:05:02,970 --> 00:05:05,510
So the exam's not going to get to that level of depth,

100
00:05:05,510 --> 00:05:06,600
but long story short,

101
00:05:06,600 --> 00:05:09,310
deploying domain controllers in the VNet is

102
00:05:09,310 --> 00:05:11,680
basically the same process as on‑prem,

103
00:05:11,680 --> 00:05:15,150
it's just you want to keep your IP addressing and your DNS

104
00:05:15,150 --> 00:05:17,860
configuration done in your VNets properly,

105
00:05:17,860 --> 00:05:21,170
and then in terms of automated deployment using ARM templates,

106
00:05:21,170 --> 00:05:29,000
you do have the ability, this is just one pattern, to automate the promotion of the domain controller if you want to.