IBM Cloud Docs
Dual MZR - Active Directory

Dual MZR - Active Directory

This section steps through the build tasks needed to create an additional Active Directory and Domain Name Server (ADDNS) server for the recovery MZR, and join it to the existing forest\domain in the primary MZR. This creates a highly available active directory across the MZRs.

This guide assumes that you:

  • Have created your VPC and subnets as your requirements dictate.
  • Have configured the security groups.
  • Have uploaded SSH keys.
  • You have configured an Active Directory forest with at least one domain controller.

Order a virtual server

A virtual server of the following specification is suitable for an ADDNS server host and can be ordered using the instructions at Creating virtual server instances by using the UI.

  • Profile: bx2-2x8
  • Type: Public
  • OS: WIndows 2019
  • NIC Qty: 1
  • Data Volumes: None

Connect to the server

After the virtual server has been deployed you need to connect a Floating IP address to it so that you can access the server remotely, refer to Adding a floating IP address.

Refer to Connecting to Windows instances to access the Windows Administrator's password, however, in short the following commands are used from your laptop, where the instances command returns the <INSTANCE_ID> of the virtual server:

ibmcloud is instances
ibmcloud is instance-initialization-values <INSTANCE_ID> --private-key @~/.ssh/id_rsa

Add a domain controller

To add a domain controller to the existing forest\domain, the following commands are used:

  • The Get-DnsClientServerAddress captures the Interface Index for the IPv4 Ethernet interface, so that the DNS can be changed from the IBM Cloud DNS server to the ADDNS server. The Install-ADDSDomainController uses DNS to lookup the IP address of an existing domain controller.
  • Use Set-DnsClientServerAddress to set the <ADDNS_IP_Address> to the existing ADDNS server.
  • Create a secure string for the domain administrator's password for use in the credential variable $credential.
  • Install the AD features on the server using the Install-WindowsFeature command.
  • Install the server as a domain controller in the <Domain_Name> domain, e.g. sqlserver.test, using a Safe Mode Administrator Password of <SafeModeAdministratorPassword>. This password should adhere to your required standards and kept securely.
  • The server will reboot.
$dns = "<ADDNS_IP_Address>"
$domainnb = "<NB_Domain>"
$user = $domainnb + "\Administrator"
$password = "<password>"
$domainfull = <Domain_Name>
$smpassword = "<Safe_Mode_Admin_Password>"
$out=Get-DnsClientServerAddress -InterfaceAlias Ethernet -AddressFamily IPv4 | Select-Object -Property InterfaceIndex
Set-DnsClientServerAddress -InterfaceIndex $out.InterfaceIndex -ServerAddresses ($dns)
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($user, $secpassword)
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController -DomainName $domainfull -InstallDns:$true -Credential $credential -SafeModeAdministratorPassword (ConvertTo-SecureString $smadminpassword -AsPlainText -Force) -Force