Install and configure ADDS on Windows Server 2022 Core in Azure (Part 2)

A question I often get is ‘why should I use Windows Server Core edition’? This is difficult to manage and I do not like a server without a graphical interface.

The first thing I always tell you is, you DON’T HAVE to do anything, but my advice is to do it. Especially for a number of crucial server roles.

Some advantages of Windows Server Core edition at a glance:

· It’s faster (less services running, no overhead, no graphical user interface)

· More secure

· It’s modern

· Less disk space required

· Smaller footprint

· Smaller attack surface

· Faster deployment

Difference in installed services:

On Windows Server 2022 with a graphical user interface, there are 210 installed services. On the Windows Server Core edition, there are just 127 installed services. That’s a big difference of 83 services.

image

image

Defference in running services:

On Windows Server 2022 with a graphical user interface, there are 73 running services. On Windows Server Core edition, there are just 66 running services. That’s a difference of 7 servies.

image

image

Used diskspace on the C drive

On Windows Server 2022 with a graphical user interface, the installation of the operating system uses around the 13 GB of space.

image

The Windows Server Core edition, just uses arount the 9 GB of space for the operating system.

image

Performance (CPU and memory)

In performance, there is a little difference on ‘normal’ usage of the server. The memory usage on Server Core edition is around the 1,6 GB and 2,1 on the graphical version. The CPU load is also a little less as you can see.

image

image

Summary:

The choice of whether or not to deploy Windows Server Core within the infrastructure depends on a number of things. First of all, the workload or application must be suitable to run on Server Core. This is certainly not the case for all applications or server roles.

Especially for crucial server roles, such as domain controllers, it is advisable to use Server Core. It offers a number of advantages, which contributes to a more stable and secure environment.

And with Remote Server Administration Tools (RSAT), Microsoft Management Console (MMC), Windows Admin Center or Arc, a Windows Server with core edition is easy to manage.

Install and configure ADDS on Windows Server 2022 Core in Azure (Part 1)

Today, I’m going to show you how to install and configure Active Directory Domain Services on Windows Server 2022 Core edition on Azure.

I’ve used some ARM templates to deploy my two domain controllers in Azure, based on Windows Server 2022 Core edition. These servers are in a separate subnet within my Azure environment. In this example, Í’ve two domain controllers, mss-dc-core001 and mss-dc-core002.

The first step is to configure the following things:

  • Machine name
  • Static IP from the Azure Portal (NOT within the VM)
  • Static DNS from the Azure Portal (NOT within the VM)
  • Date and Time
  • Install all the latest updates

image

image

image

After logging in to the first domain controllers, there’s just one big black screen with ‘SCONFIG’ open, that’s all!

image

The next step is to prepare the data partition on our second disk to place the ADDS database, NETLOGON and SYSVOL directories. For this configuration, we are using DISKPART. We have created a new volume on the second disk It’s drive D: with 16 GiB storage and disk caching is disabled.

image

After the first configuration of the servers, we are ready to start the installation of the necessary services and features. Press ‘15’ to enter Powershell.

Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools

image

Install-ADDSForest -DomainName "network.lab" -DomainMode 7 -ForestMode 7 -DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "D:\Logs"

image

image

Because we are using Windows Core edition, we don’t have any graphical management tools on the domain controllers. Therefore, we have installed the Remote Server Administration Tools or RSAT on a management server.

image

Here we can start ‘Active Directory Users & Computers’ to take a look into our new created Active Directory environment.

Install-windowsfeature -name AD-Domain-Services, DNS -IncludeManagementTools

image

Install-ADDSDomainController -DomainName "network.lab" -DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "D:\Logs" -Credential (Get-Credential "network.lab\azlocadmin")

image

image

Now we have two active domain controllers in our Active Directory environment, based on Windows Server 2022 Core edition.

image

Create a Central Store for your group policy ADMX and ADML files. Copy all the files from:
”C:\Windows\PolicyDefinitions” to “\\network.lab\SYSVOL\network.lab\Policies\PolicyDefinitions”.

image

Open the Group Policy Editor again and see if the policy definitions are loaded from the Central Store.

image

Wrap up:
We have created two domain controllers in Azure, based on Windows Server 2022 Core edition (no graphical user interface). We have created a new Active Directory Forest with a single domain ‘network.lab’. And last we have created the Central Store for storing the group policy definitions (ADMX and ADML) files.

In the next parts we are going to harden some security settings, configure Log Analytics for monitoring and configure Azure Backup for Back-up and Disaster Recovery.

Free eBook – How to Get the Most Out of Windows Admin Center – Second Edition

If you have experience with the Windows Admin Center, you might already have deduced it is a powerhouse of functionality making light of important server management tasks. If you’re just adding it to your system administrator toolbox, welcome to the wonder of Windows Admin Center!

With so much functionality, figuring out where to focus is key. Whether you’re just setting out with Windows Admin Center or wanting to realize its full potential, start with Altaro’s free 160+ page second edition eBook, How To Get The Most Of The Windows Admin Center.

clip_image002

Written by Microsoft Cloud & Datacenter Management MVP Eric Siron, it covers the latest developments like the Control Azure Stack HCI, use of WinRM over HTTPs and integration with Azure Monitor, amongst others. It’s a comprehensive guide on everything from installation methods and security considerations to integrating Windows Admin Center into an existing environment. There is even a brief history lesson along with a comparison to alternatives so you should get a solid overview of Windows Admin Center, why chose it and how to work with it.

An all-new server management experience when it was introduced, Windows Admin Center modernized administrative activities with a centralized HTML 5 web application. Just add servers, clusters, desktops, and Azure virtual machines into a personalized, persistent interface, and manage their roles, features, software, registry, PKI certificates, and more. And with Microsoft’s latest investment into the Windows Admin Center and new functionality, there is now even more server management power to work with.

Learn to simplify and optimize your server management tasks – Download your free eBook now!

Enable Azure Hybrid Benefit with Azure Resource Manager (ARM)

In Azure, you have the option to bring in your own licenses (Azure Hybrid Benefit). If you deploy a virtual machine using Azure Resource Manager (ARM) templates, this option is not enabled by default. Certainly for test environments, demos, but in many cases also production environments, you want to enable this option.

By adding the line below to your ARM template, the Azure Hybrid Benefit is enabled.

2021-10-19_21h12_41

2021-10-19_21h04_48

Remove DVD drive on Azure virtual machine

When you deploy a new virtual machine, for example Windows Server 2016/2019 or 2022, you’ll get the C: drive with the operating system, the D: drive for the TEMP storage (most of the VM types) and a DVD drive.

The DVD drive is not needed in some situations, for example on domain controllers. This type of servers you want to harden the security as much as possible. So, for domain controllers we’re deploying in our customer environments, we want to disable the DVD drive.

We run the following command when deploying new domain controllers in Azure.

## Disable DVD drive
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\cdrom -Name Start -Value 4 -Type DWord

After this step, reboot the server and your DVD drive is gone!

2021-09-23_16h37_49

2021-09-23_16h38_20

2021-09-23_16h51_07

Error: ‘User failed validation to purchase resources’ when deploying a virtual machine

Today I’ve deployed a new virtual machine within Azure using the Windows Server 2022 Azure Edition Preview Marketplace image. After running my Powershell script, I received an error:
’User failed validation to purchase resources. Error message: ‘You have not accepted the legal terms on this subscription: …..’

image

So, let’s take a look at the legal terms, also using Powershell. I’ve used a couple of variables.

$azureVmPublisherName = "MicrosoftWindowsServer"
$azureVmOffer = "microsoftserveroperatingsystems-previews"
$azureVmSkus = "windows-server-2022-azure-edition-preview"
$Version = "latest"


Get-AzMarketplaceTerms -Publisher $azureVmPublisherName -Product $azureVmOffer -Name $azureVmSkus

image

As you can see, the legal terms are not accepted yet!! With a small Powershell command, we can accept the legal terms.

Get-AzMarketplaceTerms -Publisher $azureVmPublisherName -Product $azureVmOffer -Name $azureVmSkus | Set-AzMarketplaceTerms -Accept

image

Now you’re good to go!!

Use Azure Bastion to access your virtual machine in Azure

As most of you know, it’s possible to provide a virtual machine in Azure with a public IP address. This IP address can then be used to build a connection to, for example, RDP or SSH.

This way of connecting takes place over the Internet, which entails a great security risk. In many environments we see jumpbox or stepping stone servers, which are placed in the DMZ. These servers can be accessed from the Internet, and from these servers a connection can be made to a server or multiple servers on the internal network.

Such an arrangement is not safe, unmanageable and vulnerable. Azure Bastion is a great addition to facilitate a secure connection to a virtual machine in Azure. Azure Bastion integrates into the Azure portal, requiring multi-factor authentication. The virtual machines do not need to have a public IP address, so they are not accessible directly from the Internet.

Azure Bastion is a fully managed, autoscaling and hardened PaaS service, to provide you secure RDP and SSH connectivity. Het is eenvoudig te configureren in slechts een aantal stappen. Door gebruik te maken van virtueel netwerk peering, is het mogelijk om Azure Bastion eenvoudig toe te voegen aan een bestaande configuratie in Azure.

image

  1. Configure a new virtual network for Azure Bastion
  2. Create a new subnet named ‘AzureBastionSubnet’ required for Azure Bastion
  3. Configure virtual network peering to your other networks
  4. Create an Azure Bastion host
  5. Login in the VM through the Azure portal using Azure Bastion
  6. See the list of active sessions in the Azure Bastion Host properties

2021-05-20_16h00_34    2021-05-20_16h00_532021-05-20_16h00_59    2021-05-20_16h01_102021-05-20_16h01_45    2021-05-20_16h11_542021-05-20_16h12_54    2021-05-20_16h15_14

Now you can securely connect through Azure Bastion to a virtual machine running RDP or SSH. As you can see, the virtual machine I’m connecting to has no public IP address, only a internal IP address.

image

PowerCLI: An Aspiring Automator’s Guide

Getting into scripting can be daunting. It’s easier to just use existing scripts found online, but if you choose this route you’ll quickly run into limitations. If you take the time to learn how to create your scripts, trust me, you’ll never look back!

clip_image002

Automating vSphere is particularly useful for countless applications and the best way is through PowerCLI – a version of PowerShell developed specifically for VMware. Learn how to develop your own PowerCLI scripts with this free 100+ page eBook from Altaro, PowerCLI: The Aspiring Automator’s Guide.

Written by VMware vExpert Xavier Avrillier, this eBook presents a use-case approach to learning how to automate tasks in vSphere environments using PowerCLI. We start by covering the basics of installation, set up, and an overview of PowerCLI terms. From there we move into scripting logic and script building with step-by-step instructions of truly useful custom scripts, including how to retrieve data on vSphere objects; display VM performance metrics; how to build HTML reports and schedule them; the basics on building functions; and more!

Stop looking at scripts online in envy because you wish you could build your own scripts.

Get started on your path to automation greatness – Download the eBook now!