IBM Cloud Docs
Dual AZ - Active Directory

Dual AZ - Active Directory

This section steps through the build tasks needed to create an additional Active Directory and Domain Name Server (ADDNS) server for the second AZ and join it to the existing forest\domain. This creates a highly available active directory across the AZs.

This guide assumes that you:

  • Have created your VPC and subnets as your requirements dictate.
  • Have configured the security group.
  • Have uploaded SSH keys.
  • You have configured an Active Directory forest with at least one domain controller.

Order a virtual server

A virtual server of the following specification is suitable for an ADDNS server host and can be ordered using the instructions at Creating virtual server instances by using the UI.

  • Profile: bx2-2x8
  • Type: Public
  • OS: Windows 2019
  • NIC Qty: 1
  • Data Volumes: None

Connect to the server

After the virtual server has been deployed you need to connect a Floating IP address to it so that you can access the server remotely, refer to Adding a floating IP address.

Refer to Connecting to Windows instances to access the Windows Administrator's password, however, in short the following commands are used from your laptop, where the instances command returns the <INSTANCE_ID> of the virtual server:

ibmcloud is instances
ibmcloud is instance-initialization-values <INSTANCE_ID> --private-key @~/.ssh/id_rsa

Add a domain controller

To add a domain controller to the existing forest\domain, the following commands are used:

  • The Get-DnsClientServerAddress captures the Interface Index for the IPv4 Ethernet interface, so that the DNS can be changed from the IBM Cloud DNS server to the ADDNS server. The Install-ADDSDomainController uses DNS to lookup the IP address of an existing domain controller.
  • Use Set-DnsClientServerAddress to set the <ADDNS_IP_Address> to the existing ADDNS server.
  • Create a secure string for the domain administrator's password for use in the credential variable $credential.
  • Install the AD features on the server using the Install-WindowsFeature command.
  • Install the server as a domain controller in the <Domain_Name> domain (for example, sqlserver.test) using a Safe Mode administrator password of <SafeModeAdministratorPassword>. This password should adhere to your required standards and kept securely.
  • The server will restart.
$dns = "<ADDNS_IP_Address>"
$domainnb = "<NB_Domain>"
$user = $domainnb + "\Administrator"
$password = "<password>"
$domainfull = <Domain_Name>
$smpassword = "<Safe_Mode_Admin_Password>"
$out=Get-DnsClientServerAddress -InterfaceAlias Ethernet -AddressFamily IPv4 | Select-Object -Property InterfaceIndex
Set-DnsClientServerAddress -InterfaceIndex $out.InterfaceIndex -ServerAddresses ($dns)
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($user, $secpassword)
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController -DomainName $domainfull -InstallDns:$true -Credential $credential -SafeModeAdministratorPassword (ConvertTo-SecureString $smadminpassword -AsPlainText -Force) -Force

Create an AD group

The following Powershell commands create a new AD group named <name>, and adds the cluster object to it <cluster_name>:

$name = "<name>"
$displayname = "<display_name>"
$clustername = "<cluster_name>"
$fileshareSG = "<fileshare>"
$domainnb = "<NB_Domain>"
$dnssuffix = "<suffix>"
$path = "CN=Users,DC=" + $domainnb + ",DC=" + $dnssuffix
$description = "Used by WSFC clusters"
New-ADGroup -Name $name -SamAccountName $fileshareSG -GroupCategory Security -GroupScope Global -DisplayName $displayname -Path $path -Description $description
Add-ADGroupMember -Identity $fileshareSG -Members $clustername