Preparing your AD can (and will) save you a lot of time if you do it properly.
Heating up Google servers told me that there is very little or no info to be found regarding this part, so here is my input to whoever wants to read up on it.
Design your infrastructure
Before you start with the configuration you will need to decide upon some design questions:
– Forest and domain to be used
– How many DC’s will I deploy? (recommended to have at least 2)
– What roles will I install on them?
– Do I want to have my DC’s virtual or physical?
– If virtual, where will I host them? On the fabric Hyper-V servers or outside of it?
– What’s the scope of my private cloud? Test Lab, QA or Production environment?
For Production environments you might want to choose physical boxes as these have the advantage that they will still be running if your Fabric goes down (for whatever reason). This seems to be the most safe solution, only it brings some additional license & hardware costs along compared with running virtual DCs on the Fabric. In this case the licenses cost is covered if you have installed Windows Server 2012 R2 Datacenter on your Fabric Hyper-V hosts.
See more on best practices regarding virtual DCs:
See more on Microsoft-Server-Virtualization-Licensing (e-book)
My personal prefered solution is one that makes use of ‘best of both worlds’: 1 virtual DC running on the fabric and 1 DC on a physical host.
QA environments should most optimally reflect the Production environment, when it comes to DEV/TEST you could run everyting virtual.
When all DC’s are virtual, don’t place them on SMB3 fileshare (or at least not all of them) as all incoming requests needs to get authenticated and you might run into the chicken/egg problem.
In ANY of the above situations: ALWAYS make sure to have frequent backups ! (remember that backups only have use if they are tested from time to time)
ADFS design considerations
Remember that in some later stage you will also need to configure ADFS, here you also have some options to think about:
– Do I install the ADFS role on my DC’s or will I have dedicated hosts?
– Physical or Virtual?
– Single or redundant host?
Note that ADFS requires a database and that ADFS is NOT part of the System Center Suite, so you cannot benifit on reduced license costs by installing the DB on the ‘core’ Cloud SQL (the one hosting all the SQL instances for System Center and which is included in the System Center License).
Again, some options are available, you could install an internal database or make use of the free SQL express or install a full blown (expensive) SQL, running on a dedicated host or on the ADFS server itself.
If ADFS is crusial to your environment then make sure that you have a second ADFS available (NLB) and that a dedicated SQL (cluster?) should also be installed. Regarding the latter, an always available SQL DB is only required when you need to perform ADFS configuration changes when one of the ADFS nodes is not available. You could install an internal DB on the first ADFS and when this node is down, the second one will still be able to do what it’s designed for (except you will not be able to make changes as the DB resides on the first node)
OS installation tips
Before installing the AD DS role on a physical box, make sure that you have installed the latest drivers/firmware from the hardware vendor and run Windows Update.
When you have decided to go for a VM: select a Gen2 VM during setup as this has some advantages over Gen1 VM’s, note that it’s important to select this during the VM creation wizard as it is not possible to change after it has been installed. Also double check if the integration services are installed properly.
In both cases, first thing to do is to properly configure IP settings as otherwise you will get prereq remarks during setup of the DC roles.
Domain Controller configuration tips
don’t forget about spreading the FSMO roles, configuring time servers and especially make sure that DNS is behaving as expected (zone transfer delegation, forwarders, ..) !! When your DCs are virtual, configure them to be ‘higly available’.
Forest and domain
Installing your first Cloud domain controller requires it’s own domain and preferably you want to have a dedicated forest/domain for this setup,
ADFS will make it possible to authenticate against other forests/domains so don’t worry about that right now.
If you want to deploy in an existing forest, then at least make sure that you have at least a dedicated sub domain.
After the AD DS role installation, you will have the option to promote to a domain controller.
For our setup you must choose between ‘add a new domain to an existing forest’ or ‘add a new forest’.
Next, select the functional level for the forest and/or domain, (if your environment allows, the prefered setting is Windows Server 2012 R2) and if you want to add DNS to the DC capabilities (yes you want to have that). Another wise thing to do is to run the BPA after adding the role(s).
Looking for PowerShell commands ? https://technet.microsoft.com/en-us/library/hh472162.aspx
Prepare the environment
Once the AD Domain Service Role is installed we must prepare by:
– adding users to the domain
– adding service accounts to the domain
– adding computer objects to the domain
– adding security groups to the domain
– adding addtional OU’s to the domain
– adding GPO’s to the domain (firewall, remote desktop, admin rights, Windows update, security, …the more you can automate, the better!)
Either way, if you install the private cloud by PDT (see my first blog post) or by hand, the more you have prepared, the faster you will be able to finish.
These are a ‘must’ have, depending on the level of delegation, you might need to add more security groups to fill your needs.