Install and configure ADDS on Windows Server 2022 Core in Azure (Part 2)

A question I often get is ‘why should I use Windows Server Core edition’? This is difficult to manage and I do not like a server without a graphical interface.

The first thing I always tell you is, you DON’T HAVE to do anything, but my advice is to do it. Especially for a number of crucial server roles.

Some advantages of Windows Server Core edition at a glance:

· It’s faster (less services running, no overhead, no graphical user interface)

· More secure

· It’s modern

· Less disk space required

· Smaller footprint

· Smaller attack surface

· Faster deployment

Difference in installed services:

On Windows Server 2022 with a graphical user interface, there are 210 installed services. On the Windows Server Core edition, there are just 127 installed services. That’s a big difference of 83 services.

image

image

Defference in running services:

On Windows Server 2022 with a graphical user interface, there are 73 running services. On Windows Server Core edition, there are just 66 running services. That’s a difference of 7 servies.

image

image

Used diskspace on the C drive

On Windows Server 2022 with a graphical user interface, the installation of the operating system uses around the 13 GB of space.

image

The Windows Server Core edition, just uses arount the 9 GB of space for the operating system.

image

Performance (CPU and memory)

In performance, there is a little difference on ‘normal’ usage of the server. The memory usage on Server Core edition is around the 1,6 GB and 2,1 on the graphical version. The CPU load is also a little less as you can see.

image

image

Summary:

The choice of whether or not to deploy Windows Server Core within the infrastructure depends on a number of things. First of all, the workload or application must be suitable to run on Server Core. This is certainly not the case for all applications or server roles.

Especially for crucial server roles, such as domain controllers, it is advisable to use Server Core. It offers a number of advantages, which contributes to a more stable and secure environment.

And with Remote Server Administration Tools (RSAT), Microsoft Management Console (MMC), Windows Admin Center or Arc, a Windows Server with core edition is easy to manage.

Install and configure ADDS on Windows Server 2022 Core in Azure (Part 1)

Today, I’m going to show you how to install and configure Active Directory Domain Services on Windows Server 2022 Core edition on Azure.

I’ve used some ARM templates to deploy my two domain controllers in Azure, based on Windows Server 2022 Core edition. These servers are in a separate subnet within my Azure environment. In this example, Í’ve two domain controllers, mss-dc-core001 and mss-dc-core002.

The first step is to configure the following things:

  • Machine name
  • Static IP from the Azure Portal (NOT within the VM)
  • Static DNS from the Azure Portal (NOT within the VM)
  • Date and Time
  • Install all the latest updates

image

image

image

After logging in to the first domain controllers, there’s just one big black screen with ‘SCONFIG’ open, that’s all!

image

The next step is to prepare the data partition on our second disk to place the ADDS database, NETLOGON and SYSVOL directories. For this configuration, we are using DISKPART. We have created a new volume on the second disk It’s drive D: with 16 GiB storage and disk caching is disabled.

image

After the first configuration of the servers, we are ready to start the installation of the necessary services and features. Press ‘15’ to enter Powershell.

Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools

image

Install-ADDSForest -DomainName "network.lab" -DomainMode 7 -ForestMode 7 -DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "D:\Logs"

image

image

Because we are using Windows Core edition, we don’t have any graphical management tools on the domain controllers. Therefore, we have installed the Remote Server Administration Tools or RSAT on a management server.

image

Here we can start ‘Active Directory Users & Computers’ to take a look into our new created Active Directory environment.

Install-windowsfeature -name AD-Domain-Services, DNS -IncludeManagementTools

image

Install-ADDSDomainController -DomainName "network.lab" -DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "D:\Logs" -Credential (Get-Credential "network.lab\azlocadmin")

image

image

Now we have two active domain controllers in our Active Directory environment, based on Windows Server 2022 Core edition.

image

Create a Central Store for your group policy ADMX and ADML files. Copy all the files from:
”C:\Windows\PolicyDefinitions” to “\\network.lab\SYSVOL\network.lab\Policies\PolicyDefinitions”.

image

Open the Group Policy Editor again and see if the policy definitions are loaded from the Central Store.

image

Wrap up:
We have created two domain controllers in Azure, based on Windows Server 2022 Core edition (no graphical user interface). We have created a new Active Directory Forest with a single domain ‘network.lab’. And last we have created the Central Store for storing the group policy definitions (ADMX and ADML) files.

In the next parts we are going to harden some security settings, configure Log Analytics for monitoring and configure Azure Backup for Back-up and Disaster Recovery.

Remove DVD drive on Azure virtual machine

When you deploy a new virtual machine, for example Windows Server 2016/2019 or 2022, you’ll get the C: drive with the operating system, the D: drive for the TEMP storage (most of the VM types) and a DVD drive.

The DVD drive is not needed in some situations, for example on domain controllers. This type of servers you want to harden the security as much as possible. So, for domain controllers we’re deploying in our customer environments, we want to disable the DVD drive.

We run the following command when deploying new domain controllers in Azure.

## Disable DVD drive
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\cdrom -Name Start -Value 4 -Type DWord

After this step, reboot the server and your DVD drive is gone!

2021-09-23_16h37_49

2021-09-23_16h38_20

2021-09-23_16h51_07

Restricting RDP access to Azure virtual machines

By default, every VM you’v e created within Azure has RDP (Remote Desktop Protocol) on port 3389 enabled. You can access you VM from anywhere in the world.

You can restrict RDP access on just that IP addresses you want, so you can limit the access. So for example, you can limit your company IP address and maybe you home address to access the specific VM in Azure.

To restrict access, I’ve created a NSG (Network Seciruty Group) with the following configuration:

1.) Create a new Inbound security rule with a priority of 4095 (every digit below the default of 65000 is fine!!)
2.) Configure the following rule:

Priority: 4096
Name: Deny-RDP-Access
Source: Service Tag
Source service tag: Internet
Source port ranges: *
Destination: VirtualNetwork
Destination port ranges: 3389
Protocol: TCP
Action: Deny

3.) Configure a second rule:

Priority: 4095
Name: Allow-RDP-Access
Source: IP Addressess
Source IP Addressess/CIDR ranges: YOUR IP ADDRESSESS
Source port ranges: *
Destination: Any
Destination port ranges: 3389
Protocol: TCP
Action: Allow

image

Now you can test your new configuration. RDP access is only allowed from your custom IP addressess!!

Experts Live NL 2018 Intro Movie

Last Tuesday, it was a great day again! Experts Live 2018 NL. The biggest community event in the Netherlands. Great sessions, great speakers, very high level of content, great demos and off course as always a great intro movie!! 🙂 Many thanks to the organization of Experts Live! See you next year!!

http://www.expertslive.nl