X

Creating a Windows Active Directory Domain Controller in Oracle Cloud Infrastructure

John Parker
Cloud Solution Architect

There are several circumstance under which you might want to create a new Windows Active Directory (AD) environment. This post talks about using Oracle Cloud Infrastructure to build a new AD domain controller. By using Microsoft PowerShell and the Oracle Cloud Infrastructure cloudbase-init scripts, you can automate the process and eliminate the headache of building Windows AD. You can place your script in the User data section of the Advanced options when you create the host in the Oracle Cloud Infrastructure Console.

This post talks only about the automation of the AD domain controller, and not about your virtual cloud network (VCN) and network environment. You can learn more in the Creating Windows Active Directory Domain Servers in Oracle Cloud Infrastructure white paper. The following diagram shows the basic architecture of how you would build your VCN and subnets:

Automating the Deployment of the AD Domain Controller

When you are planning your domain, your first task is to determine how you want to structure your forest. Building an AD forest can get complicated if you have numerous subdomains and trust dependencies, so we are keeping it here simple by using a simple forest with a single tree.

For more information about forests, see the Microsoft documentation.

Scripting the Host Deployment

Let’s jump into some PowerShell code. First, ensure that you have the correct header for the cloudbase-init script. You need to run in the ps1_sysnative mode for cloudbase-init and PowerShell to interpret the correct mode of execution.

#ps1_sysnative

Then, set the local administrator password and activate the administrator account (which is deactivated by default in Oracle Cloud Infrastructure Windows images). The account will be cloned, and the clone will be turned into the domain administrator, so ensure that the password is secure and meets the standard of special characters, numbers, and a mix of uppercase and lowercase letters. This password is temporary, and you’ll change it later in the process.

$password="P@ssw0rd123!!"
# Set the Administrator Password and activate the Domain Admin Account
net user Administrator $password /logonpasswordchg:no /active:yes

After you activate the administrator account, you install the prerequisites for the AD Domain Services. The first of these Windows features and roles is the .NET Framework 3.0, which has the backwards-compatible code line. Next are the AD Domain Services and the Remote Active Directory Services, which are the core management features for AD. Finally, install DNS Services, which eases most of the communication issues within the AD domain.

Install-WindowsFeature NET-Framework-Core
Install-WindowsFeature AD-Domain-Services
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature RSAT-DNS-Server

After you install the prerequisites, you reboot the new host. However, before you reboot the host, create a RUNONCE script that will finish building the AD forest. For this task, use the adds module and create a text file that will become the RUNONCE script. This script, which runs on the next login by the local administrator after the reboot, imports the PowerShell Module ADDSDeployment and then runs the Install-ADDSForest command, which names the forest and promotes the host to a domain controller. After these actions are done, the host is automatically rebooted.

# Create text block for the new script that will run once on reboot
$addsmodule02 = @"
#ps1_sysnative
Try {
Start-Transcript -Path C:\DomainJoin\stage2.txt
`$password = "P@ssw0rd123!!"
`$FullDomainName = "cesa.corp"
`$ShortDomainName = "CESA"
`$encrypted = ConvertTo-SecureString `$password -AsPlainText -Force
Import-Module ADDSDeployment
Install-ADDSForest ``
-CreateDnsDelegation:`$false ``
-DatabasePath "C:\Windows\NTDS" ``
-DomainMode "WinThreshold" ``
-DomainName `$FullDomainName ``
-DomainNetbiosName `$ShortDomainName ``
-ForestMode "WinThreshold" ``
-InstallDns:`$true ``
-LogPath "C:\Windows\NTDS" ``
-NoRebootOnCompletion:`$false ``
-SysvolPath "C:\Windows\SYSVOL" ``
-SafeModeAdministratorPassword `$encrypted ``
-Force:`$true
} Catch {
Write-Host $_
} Finally {
Stop-Transcript
}
"@
Add-Content -Path "C:\DomainJoin\ADDCmodule2.ps1" -Value $addsmodule02

Then, add the RUNONCE key for the next time that the administrator logs in to the host.

# Adding the RunOnce job
#
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" ('C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -executionPolicy Unrestricted -File ' + "C:\DomainJoin\ADDCmodule2.ps1")

Rebooting

After all the prerequisites have finished installing on the host, you are ready to reboot the host. Rebooting the host makes the installation cleaner and reduces the number of errors that can happen when you are installing the new AD forest.

# Last step is to reboot the local host
Restart-Computer -ComputerName "localhost" -Force

After the reboot, the forest is installed using the RUNONCE script, as shown in the following screenshot. After the forest is installed, the host automatically reboots again.

Final Checks

Check your forest to ensure that everything is correct. Use the Get-ADForest command to get all the basic information that you need to confirm that your domain has been installed correctly.

On your next login, change the administrator password with the Set-ADAccountPassword command to ensure the security of your domain.

Final Script

Here is the entire script. In addition to all the previously discussed parts, you can set logging in the script to ensure that you can track and troubleshoot the operations.

#ps1_sysnative
Try {
#
# Start the logging in the C:\DomainJoin directory
#
Start-Transcript -Path "C:\DomainJoin\stage1.txt"
# Global Variables
$password="P@ssw0rd123!!"
# Set the Administrator Password and activate the Domain Admin Account
#
net user Administrator $password /logonpasswordchg:no /active:yes
# Install the Windows features necessary for Active Directory
# Features
# - .NET Core
# - Active Directory Domain Services
# - Remote Active Directory Services
# - DNS Services
#
Install-WindowsFeature NET-Framework-Core
Install-WindowsFeature AD-Domain-Services
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature RSAT-DNS-Server
# Create text block for the new script that will be ran once on reboot
#
$addsmodule02 = @"
#ps1_sysnative
Try {
Start-Transcript -Path C:\DomainJoin\stage2.txt
`$password = "P@ssw0rd123!!"
`$FullDomainName = "cesa.corp"
`$ShortDomainName = "CESA"
`$encrypted = ConvertTo-SecureString `$password -AsPlainText -Force
Import-Module ADDSDeployment
Install-ADDSForest ``
-CreateDnsDelegation:`$false ``
-DatabasePath "C:\Windows\NTDS" ``
-DomainMode "WinThreshold" ``
-DomainName `$FullDomainName ``
-DomainNetbiosName `$ShortDomainName ``
-ForestMode "WinThreshold" ``
-InstallDns:`$true ``
-LogPath "C:\Windows\NTDS" ``
-NoRebootOnCompletion:`$false ``
-SysvolPath "C:\Windows\SYSVOL" ``
-SafeModeAdministratorPassword `$encrypted ``
-Force:`$true
} Catch {
Write-Host $_
} Finally {
Stop-Transcript
}
"@
Add-Content -Path "C:\DomainJoin\ADDCmodule2.ps1" -Value $addsmodule02
# Adding the run once job
#
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" ('C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -executionPolicy Unrestricted -File ' + "C:\DomainJoin\ADDCmodule2.ps1")
# End the logging
#
} Catch {
Write-Host $_
} Finally {
Stop-Transcript
}
# Last step is to reboot the local host
Restart-Computer -ComputerName "localhost" -Force

Summary

This is a simple script for installing your first AD domain controller. You will have two reboots to make the process complete, and it takes about 20-25 minutes for all of the Windows features to install. This is just the first step in building a larger domain. The "Creating Your Windows Active Directory Domain Servers in Oracle Cloud Infrastructure" white paper walks you through additional steps to build a resilient AD environment on Oracle Cloud Infrastructure. Be sure to download the white paper, and check out how you can get your free Oracle Cloud Infrastructure trial account.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha