Securing an active directory environment is a very crucial consideration while designing a datacenter in a traditional datacenter environment to secure an AD environment we keep a primary domain controller at the primary site and secondary domain controller in some other site, so that in any unwanted situation we make sure our directory services are available and users/resources are getting authenticated with the available domain controller.
Introducing VMware Cloud to the Scenario:
With the increased usage of VMware cloud on AWS, customers are liking the idea of using VMware cloud as a DR site for their on-prem environment. Adding to the same idea we will demonstrate how can we secure the on-prem Active directory environment by deploying a secondary domain controller in VMware cloud on aws , and if needed how can we promote it as a primary domain controller (DR or on-prem datacenter’s Maintenance/Upgradation) .
General Info for this demonstration:
There could be multiple active directory scenarios however for the purpose of this demonstration we are using following configuration.
# 1 Primary domain controller named ad-dns.homelab.lab (preconfigured)
# 1 on-prem DNS server (Preconfigured)
# An Active and preconfigured CGW ipsec VPN (check my old post on how to configure VPN and firewall click here)
# Onprem Domain Name homelab.lab
# VMC DC Name : VMC-AD-DNS
Good to know information before we begin:
In an active directory environment, you typically have 1 Primary domain controller and some Secondary/Backup/additional domain controllers. Secondary domain controllers are used for load balancing and as a backup for primary DC in case of any failure.
Also, if there is a condition where we want to promote Secondary DC to primary we can do it by transferring/Seizing 5 FSMO roles to it.
To better understand the scenario Lets start with having a look at the current configuration.
In my on-prem DC we ran “nltest /dclist:homelab.lab” command and found that currently we have only 1 DC i.e. ad-dns.homelab.lab.
Now we need to deploy a secondary DC (Server 2012 R2 for this demonstraion) in VMC environment and before that Some firewall configuration is needed and other settings need to be verified.
Opening Firewall rules on your onprem and CGW of VMC
TCP and UDP Port 88 – Kerberos authentication
TCP and UDP Port 135 – domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 – File Replication Service between domain controllers.
UDP Port 389 – LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 – File Replication Service
TCP and UDP Port 464 – Kerberos Password Change
TCP Port 3268 and 3269 – Global Catalog from client to domain controller.
TCP and UDP Port 53 – DNS from client to domain controller and domain controller to domain controller.
TCP Port 5722 – DFSR/RPC – Sysvol Replication between Domain Controllers.
Other Consideration for the ports could be:
TCP Port Range 1025-5000 – If your network has any Server 2003 R2 or older domain controllers. This is the default dynamic range for RPC connections.
TCP Port Range 49152-65535 – If your network has any Server 2008 or newer domain controllers. This is the new dynamic port range for RPC connections
2. Connectivity between the new VM in VMC to DC and DNS server (verify it with ping)
3. Change the DNS on VMC server to your on-prem DNS (If you are planning to install a secondary dns in VMC you can do that too)
Install and Prepare the environment :
After all these checks we will install active directory role on the VMC server, The installation is simple, from server manager you click on add roles and features and select the box Active directory domain services and follow the wizard.
Once installed we need to configure it and the only difference in the configuration of Secondary Domain controller is, you select option as add a domain controller to an existing domain and supply the domain name and domain admin username and password.
Follow the wizard for rest of the configuration. If all the config is correct AD will be installed and during the installation it-self, you will be able to contact and list out the other DC.
Once the wizard completes the secondary DC will reboot and That’s It! you are ready with your secondary Functional DC.
Now we will talk about the second scenario where we need to transfer the roles from primary to secondary DC.
Let’s verify which Domain controller is holding the FSMO roles right now.
On any of the DC you run command “netdom /query fsmo” to check which DC holds what role
As we can see above right now the onprem DC contains all the 5 FSMO roles.
(For ow to transfer roles refer official Microsoft KB)
It was easy and quick I first transferred the domain wide role you can see the before and after transfer status of the Domain wide role transfer.
Once that was done we can transfer the forest wide roles as well, so all the 5 roles were now present on the DC hosted in VMware cloud.
Optionally you can perform a cleanup task to clear out the original DC entry (only if you don’t want to bring it back in the environment) demonstrated here.
And your new Primary DC in VMC cloud is ready for use 😊