Documente Academic
Documente Profesional
Documente Cultură
Contents
Lab Requirements ......................................................................................................................................... 2
Getting Set for Success ................................................................................................................................. 2
Concentrate on What You Need Most.......................................................................................................... 2
Lab 1: Building the Foundation ..................................................................................................................... 3
Login to the Azure Portal .......................................................................................................................... 4
Create a new virtual network and subnets for objects............................................................................. 4
Connect to Azure with PowerShell ........................................................................................................... 5
Create a new storage account using PowerShell ...................................................................................... 7
Alternatively - Create a new storage account from the Azure management portal ................................ 8
Create a new service with PowerShell ...................................................................................................... 8
Alternatively - Create a new service from the Microsoft Azure management portal .............................. 9
Lab 2: Building Workloads ............................................................................................................................ 9
Deploy domain controllers in Microsoft Azure ....................................................................................... 10
Preparing to Remotely Connect to Azure Virtual Machines ................................................................... 10
Create users in your Active Directory. .................................................................................................... 12
Explore the virtual machines and connect via RDP ................................................................................ 13
DC01 designated static IP – Using the New Preview Portal.................................................................... 14
Next you will deploy the 2nd domain controller for your forest. ............................................................ 16
Lab 3: Working with Identity....................................................................................................................... 17
Create a new Azure Active Directory environment ................................................................................ 17
Create an Azure Active Directory Administrator account ...................................................................... 18
Set a password for your admin account ................................................................................................. 19
Configure and test the AADSync Service ................................................................................................ 20
Implementing Multi-Factor Authentication............................................................................................ 23
Testing Multi-Factor Authentication....................................................................................................... 23
Lab 4: Automating Deployments of SQL and IIS ......................................................................................... 25
APPENDIX - Perform the following tasks in the Azure management portal to set up your Virtual
Machines. .................................................................................................................................................... 26
Version 4.4 1
Lab Requirements
The following components are required to successfully complete this Hands-on Lab:
A Microsoft Azure Account and Credentials
A modern web-browser with HTML5 and JavaScript enabled
Remote Desktop Client connection software
Internet connectivity
Identification for building access
10” or larger screen recommended
Your own wireless hotspot (if you have one)
The ability to install software (admin rights) for the installation of the Azure PowerShell
Module
In addition, this hands-on lab guide assumes that lab participants are comfortable with
performing the steps involved in implementing Windows Server 2012 and Active Directory in an
on-premises datacenter environment.
The goal of this lab set up an Active Directory environment in Azure using PowerShell,
PowerShell Remoting and if necessary, the Azure portal.
Version 4.4 2
o Lab 3
If you are interested in using Availability Sets to take advantage of the Azure SLA and/or
to get hands-on with PowerShell, do:
o Lab 1
o Lab 2
The services mentioned above are the core components that provide a foundation for your
applications, virtual machines and hybrid connectivity in Azure. Having this well thought out,
provides a great architecture for all of your cloud services. Here is a conceptual model of this
lab:
Version 4.4 3
Login to the Azure Portal
In this task you will login into the Azure Portal to ensure your subscription is ready to go. You
will find yourself checking the portal to confirm your PowerShell actions and check your work.
Perform the following tasks:
1. Open a browser, and then navigate to http://manage.windowsazure.com.
2. Click PORTAL located at the top of the Microsoft Azure site.
3. Log in using your Microsoft Azure credentials for your Microsoft Azure subscription.
4. If this is your first time logging into your Azure management portal, close the WINDOWS
AZURE TOUR.
First, you will create a Microsoft Azure network object and corresponding subnet. Virtual
Network lets you provision and manage virtual networks in Azure and, optionally, link them via
secured VPN tunnels with your on-premises IT infrastructure to create hybrid and cross-
premises solutions. With virtual networks, IT administrators can control network topology,
including configuration of DNS and IP address ranges.
With the virtual network you are creating will provide IP addresses assigned to objects and
virtual machines you create in other labs that will be associated with this virtual network. You
will also leverage subnets to help organize your IP addresses as well.
1. In the Azure management portal (in the leftmost column), scroll to and click
NETWORKS.
2. Click NEW (Plus “+” Sign) located at the bottom of the Azure management portal
3. Click CUSTOM CREATE.
4. In NAME, type XXX-VNet and then in LOCATION, select your location, and then
click the Next arrow.
5. Set your DNS server to DNS-DC01 with an IP Address of 192.168.10.4. (This is the
IP Address of the domain controller you will be creating later in the lab, which will
also be handling the DNS for this virtual network.)
6. Click the Right Arrow.
7. In STARTING IP, type 192.168.0.0.
8. In CIDR (ADDRESS COUNT), select /16.
Version 4.4 4
9. Under SUBNETS, highlight Subnet-1, and then replace it with Core-Subnet
10. Under STARTING IP, type 192.168.10.0.
11. Under CIDR (ADDRESS COUNT) select /24.
12. Under SUBNETS, click add subnet.
13. Replace Subnet-2 with App-Subnet
14. Set the STARTING IP to 192.168.11.0.
15. Set the CIDR (ADDRESS COUNT) to /24.
16. Click the Complete icon (Check Mark).
3. When prompted click run and follow the installation prompts. You may be prompted to
download and install additional components.
4. After installation is complete, on your Start Screen or Start Menu locate Microsoft Azure
PowerShell ISE and start it. You will want to run ISE as an Administrator.
5. In the scripting pane at the top you can either type the code from this manual or copy in
all the code from http://bit.ly/AzureQ4Snippets. Then run the various lines individually
or in small groups.
6. You will now need to connect Microsoft Azure PowerShell to your Azure subscription. In
your PowerShell session run:
Add-AzureAccount
Press Enter.
Version 4.4 5
7. A small browser windows will appear, prompting for your credentials. Enter your
Microsoft Account and Password.
8. Next, you will need set your default subscription. Your subscription will have a friendly
name like “Visual Studio Ultimate with MSDN” or “Free Trial”. Find your subscription
name with:
Get-AzureSubscription
9. Write the name of the Azure Subscription you will be using for the lab here:
_____________________________________________________________
10. Update the script copy with all the variables you will need to customize the lab you’re
your deployment. First, replace the words “Free Trial” for the variable $subscrName in
the code with the correct name of your subscription. Then go through and make any
necessary edits to include your unique identifier. For reference, you will set the
following variables:
$subscrName = "Free Trial" # Replace with the friendly name of your
subscription, if not using the free trial
$storageAccountName = "xxxstore" # Storage name must be all
lowercase. Replace xxx with your initials or some unique ID
$domainCloudService = "XXXdomainservice" # Must be globally unique
(used in a URL). Replace XXX with your initials or some unique ID
$dcAvalSet = "XXX-DCSet" # Replace XXX with your initials or some
unique ID
$firstDC = "XXX-DC01" # Replace XXX with your initials or some unique
ID
$secondDC = "XXX-DC02" # Replace XXX with your initials or some
unique ID
These variables must match what you configured for your network in Lab #1
Version 4.4 6
$serverImages = Get-AzureVMImage | Where {$_.ImageFamily -eq
"Windows Server 2012 R2 Datacenter" } | sort-object -descending -
Property PublishedDate
$image = $serverImages[0].ImageName
$instancesize = "Small”
$un = "SysAdmin" # Remember the Username and Password
$pwd = "Passw0rd!" # You'll use these creditials to connect to and/or
login to your Domain Controllers
11. Select ALL of the variables once they are correct and run those lines as a group.
Select-AzureSubscription -SubscriptionName
$subscriptionName -current
You are now ready to use Azure Cmdlets to manage your Azure subscription.
Microsoft Azure Storage is a massively scalable, highly available, and elastic cloud storage
solution that empowers developers and IT professionals to build large-scale modern
applications. Azure Storage is accessible from anywhere in the world, from any type of
application, whether it’s running in the cloud, on the desktop, on an on-premises server, or on a
mobile or tablet device. In this lab, you will create a storage account to contain all objects for
your Azure services. Your VHDs, which you will create in lab 2 for your Azure virtual machines,
will be stored in this storage account.
Version 4.4 7
Alternatively - Create a new storage account from the Azure management portal
By creating a cloud service, you are creating a boundary around a group of virtual machines
that share the same external IP address and external firewall. When deploying a multi-tier
application in Azure, you can define multiple roles to distribute processing and allow flexible
scaling of your application. A cloud service consists of one or more web roles and/or worker
roles, each with its own application files and configuration. Azure Websites and Virtual
Machines also enable web applications on Azure. The main advantage of cloud services is the
ability to support more complex multi-tier architectures.
In this section you will create a new cloud service to contain your domain controller virtual
machines. By assigning your new VMs to this service, they will be able to communicate
internally.
Version 4.4 8
2. New-AzureService –ServiceName $domainCloudService –
Location $LocationName
Alternatively - Create a new service from the Microsoft Azure management portal
(Image is an example only, adjust your entries to reflect your lab environment.)
Version 4.4 9
Deploy domain controllers in Microsoft Azure
In this task, you will deploy two virtual machines (VM) to function as a domain controllers in
your newly created virtual network created in Lab 1. During the last portion of the lab you will
also configure the AD service as the DNS server for the virtual network you created in Lab 1,
and you’ll assign it a static IP Address (technically speaking this is a DHCP reservation in the
subnet but it will be referred to as a static IP pretty much everywhere in Azure documentation.)
At this point you have created a single VM in Azure, running Windows Server 2012 R2. No
modifications have been made to the OS. Next, you will remotely connect to this VM to install
Active Directory and switch the OS to Server Core.
4. To install the remote access certificate on your local machine, open the script saved
earlier in the lab into another tab in PowerShell ISE.
Version 4.4 10
$SubscriptionName = $SubscrName
$ServiceName = $domainCloudService
$Name = $firstDC
6. Run the entire script. It will be saved and you should get a confirmation that the
certificate has been imported to your local machine.
Now you will be able to remotely connect to your machine via PowerShell. At for these next
steps, understand that you are using PowerShell to connect directly to a VM. This VM happens
to be in Azure, but these PowerShell commands would work for on-prem machines as well.
Note: Make sure your VM has completed configuration and is in the “running” state at this
point.
7. Set the variables for your cloud service and server, then prompt for credentials:
$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -
Name $Name
$cred = Get-Credential
8. Start a PS-Session with your remote machine. You will be prompted to enter the
username and password you set for the machine.
You will see your PowerShell prompt change as you connect directly to a single machine instead
of your Azure subscription. Next you will install Active Directory and configure some users to
use in the next lab.
NOTE: Much of this process can be automated by leveraging a custom script extension as a part
of the provisioning process. Custom Script Extensions can automatically download scripts and
files from Azure Storage and launch a PowerShell script on the VM. These scripts can be used
to install additional software components in addition to Active Directory. Custom Script
Extensions can be added during VM creation or after the VM has been running. However, in
order for you to understand how you can remotely connect to VMs in Azure and perform
familiar tasks with PowerShell, you will be performing this process step-by-step.
9. Install Active Directory and Configure the Forest. You will prompted to enter a
password for Active Directory Safe mode. Enter the same password you have been
using for everything in this lab. For your reference, ForestMode 6 and DomainMode
6 will set the forest and domain at the Server 2012 R2 functional level.
Version 4.4 11
Install-ADDSForest -DomainName "contosoazure.com" -
ForestMode 6 -DomainMode 6
Once your VM completes the reboots and is in the running state, DC01 should have the IP
address of 192.128.10.4. You can look in the Azure Management Portal to confirm this.
Note: When you are prompted for credentials be sure to enter sysadmin@contosoazure.com as
the username because your local Admin account has become a domain administrator for the
contosoazure.com domain.
1. Set the variables for your cloud service and server, then prompt for credentials:
$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -
Name $firstDC
$cred = Get-Credential
2. Start a PS-Session with your remote machine. You will be prompted to enter the
username and password you set for the machine.
4. Add Users:
$newPassword = (Read-Host -Prompt "Provide New Password"
-AsSecureString)
Version 4.4 12
"Bob Smith" –Department “Sales" -AccountPassword
$newPassword
5. Enable a user:
Now that the virtual machine is created, you want to log on and verify that it looks, feels, and
behaves just like any server on your network.
1. On the left menu of the Azure management portal, scroll to and click VIRTUAL
MACHINES.
2. On the end of the line containing <ID>-DC01, click the DNS Name to open the Cloud
Service dashboard.
3. Click on the DASHBOARD tab.
o You can review information about the running virtual machines, as well
as view the current health.
4. Click the MONITOR tab.
o You can view performance and data statistics.
5. Click the INSTANCES tab
o Here you can view the fault and update domains assigned to each VM in
your Availablity Set.
6. Click DC01 to open the VM dashboard.
Version 4.4 13
7. Click the DASHBOARD tab.
o You can review information about this specific virtual machine, as well as
view its current health.
8. Click the MONITOR tab.
o You can view performance and data statistics for this virtual machine.
9. Click the ENDPOINTS tab.
o You can configure published endpoints, which are similar to firewall rules,
to allow applications to access services running on the VM.
10. Click the CONFIGURE tab.
o You can modify the properties of the virtual machine. You can also
configure monitoring from multiple locations to ensure your endpoint is
operational.
11. Click the DASHBOARD tab.
12. To open a remote desktop connection to the virtual machine, at the bottom of the
screen click CONNECT, and then click Open.
13. Click Connect.
14. When prompted, log on as sysadmin@contosoazure.com using Passw0rd! as the
password. (Substitute the username and password you used during VM Creation if
different than the lab recommendations.)
15. Click Yes.
o You are now logged on to the desktop of your newly created virtual
machine.
16. Click No when prompted to enable discovery of devices.
Once connected, you can confirm the installation of the Active Directory service and the
creation of the domain if you desire.
The new portal offers some great enhancements to managing Azure. It is still in preview, but
this task will give you a glimpse into the new portal. You’ll perform a task here that otherwise
you would have to use PowerShell for.
1. In the Azure management portal, click on your Account ID (e-mail address) in the
upper right hand corner and click on Switch to new portal. Notice a new browser
tab automatically opens
Version 4.4 14
2. If prompted for your credentials, enter your ID and password to enter the new
portal
3. On the left hand toolbar in the portal click Browse and scroll to and select Virtual
machines
Version 4.4 15
Next you will deploy the 2nd domain controller for your forest.
First, exit your remote session to DC01 by typing “exit” at the PowerShell prompt for your
remote server. You will be returned to your local, Azure-connected session.
Create the second VM in the domain. This time you will automatically deploy the machine to
the correct Availability Set. Take note of the “AvailabilitySetName” parameter in the New-
AzureVMConfig command below:
Like the first VM, you will need to remotely connect to configure Active Directory and change
any roles or features.
3. To install the remote access certificate on your local machine, return to the script
saved in the other tab in PowerShell ISE. Edit the variables for your environment to
reflect the name of the second machine.
$subscriptionName = $subscrName
$ServiceName = $domainCloudService
$Name = $secondDC
4. Run the entire script. You should get a confirmation that the certificate has been
imported to your local machine.
5. Set the variables for your cloud service and server, then prompt for credentials:
$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -
Name $Name
$cred = Get-Credential
6. Start a PS-Session with your remote machine. You will be prompted to enter the
username and password you set for the machine.
Version 4.4 16
Enter-PSSession -ConnectionUri $uri -Credential $cred
7. Install Active Directory and join the existing domain. You will be prompted for
credentials to join the domain (use sysadmin@contososazure.com) and enter a
password for the Safe Mode.
8. (Optional) Change from Full GUI to Server Core. Be patient, this takes a while. Once
the machine is back up and running, connect to it via Remote Desktop to verify that
it’s just the core OS. You can continue on to Lab 3 while this reconfiguration is
taking place.
Remove-WindowsFeature -name User-Interfaces-Infra
Restart-Computer –Force
In this task, you will create a new Azure Active Directory tenant.
Version 4.4 17
3. In NAME, type Contoso-AZ-Directory.
4. In DOMAIN NAME, type AzureCONTOSO<ID> (where <ID> is your unique ID).
5. In COUNTRY OR REGION, select UNITED STATES, and then click the Complete icon.
o If you are not in the United States, select it anyway to ensure the consistency of the lab
steps.
1. In the Azure management portal, click ACTIVE DIRECTORY, and then click Contoso-AZ-Directory.
2. Under Contoso-AZ-Directory, click USERS, located on the top menu.
3. In the bottom bar, click ADD USER.
4. In USER NAME, type AADAdmin, and then click the Next arrow.
5. In FIRST NAME, type AAD, and then in Last Name, type Admin.
6. In DISPLAY NAME, type AADAdmin.
7. In ROLE, select Global Administrator.
Version 4.4 18
8. In ALTERNATE EMAIL ADDRESS, type any valid e-mail address you have access to, and then click the
Next arrow.
In this task, you will perform an initial logon to set the password for the admin account.
1. Close out of all web browser sessions or open an “In-Private” browser session. Using Internet
Explorer, navigate to manage.windowsazure.com.
2. Log in as AADAdmin using the Unique <ID> and password you noted previously. i.e.
AADAdmin@AzureContoso<ID>.onmicrosoft.com
o You will need to use the username value you noted earlier.
o You may need to sign out first.
3. When prompted, change the password to Passw0rd! and then click Update password and sign in.
o You will see a message “No subscriptions found.” This is expected. The user is not
permitted to manage subscription level details.
Version 4.4 19
4. Close Internet Explorer.
In this task, you will configure Windows Server 2012 R2 and create a new user to test your synchronization when
you enable DirSync, and then perform an initial sync to populate your Azure Active Directory service with copies of
your local user accounts.
1. Close all web browsing sessions then reopen Internet Explorer and navigate to
http://Manage.WindowsAzure.com.
2. Log in with your Microsoft account used in the previous labs, not the AD administrator account from
the previous section.
3. On the left menu of the Azure management portal, click VIRTUAL MACHINES.
4. Next to DC01, click the DC01 computer name to open the Virtual Machine Quick Start or Dashboard.
5. Click DASHBOARD.
6. On the bottom bar, click CONNECT, and then click Open.
7. Click Connect.
8. When prompted, log on as sysadmin@contosoazure.com using Passw0rd! as the password.
9. Click yes.
o You are now logged on to your virtual machine.
8. Open Server Manager and click Local Server on the left hand navigation pain.
9. Click on IE Enhanced Security Configuration and click on.
10. In the Security Configuration screen click off for both administrators and users. This is just for
testing in this lab.
11. Click OK.
Version 4.4 20
12. In Server Manager click tools and select Active Directory Users and Computers
10. As you browse the Users and Computers, you should see the names of the users you created via
PowerShell.
11. Still on DC01: Using Internet Explorer, navigate to http://Azure.Microsoft.com
12. Log in as your subscription user, not the user you just created
13. In the Azure management portal, scroll to and click on ACTIVE DIRECTORY.
14. Click Contoso-AZ-Directory, and then click Directory Integration.
15. Next to DIRECTORY SYNC, click Activated.
16. Click Save, and then click Yes
o Wait for the job to complete before proceeding.
17. Open Internet Explorer on the Domain Controller and go to http://aka.ms/azureadsync to download
the Microsoft Azure Active Directory Sync Services
18. Click download
19. Save the tool to the desktop of the Domain Controller
20. On the DC’s desktop, right click on the MicrosoftAzureADConnectionTool and select Run As
Administrator. This will install and configure the tool.
21. Check the I agree to the terms and click Install
Version 4.4 21
NOTE: dirSync may take about 10 minutes or longer to install.
32. Switch to your Azure management portal, and then click ACTIVE DIRECTORY.
33. Click the Domain that synchronized, and then click Users and look for the users you created earlier
o You should eventually see the users you created in AD now synchronized to your Azure
Active Directory.
Version 4.4 22
Implementing Multi-Factor Authentication
Multi-factor or two-factor authentication is a method of authentication that requires the use of more than one
verification method and adds a critical second layer of security to user sign-ins and transactions. It works by
requiring any two or more of the following verification methods:
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication
factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is
useless without also having possession of the trusted device. Conversely, if the user happens to lose the device,
the finder of that device won't be able to use it unless he or she also knows the user's password. Azure Multi-
Factor Authentication is the multi-factor authentication service that requires users to also verify sign-ins using a
mobile app, phone call or text message. It is available to use with Azure Active Directory, to secure on-premise
resources with the Azure Multi-Factor Authentication Server, and with custom applications and directories using
the SDK.
In this task, you will configure Multi-Factor Authentication (MFA) with Microsoft Azure. To complete this module
fully, you need to have a phone which can send and receive text messages or calls. You will configure this lab to
use your phone as a second authentication factor this is done via replying to a system-generated text or voice
message.
In this task, you will test multi-factor authentication. Ensure you have the phone readily available as you will have a
limited time to receive and reply to the text message generated by Microsoft Azure.
Version 4.4 23
Perform this task on your local machine.
1. In the Microsoft Azure active directory portal click directory and click Contoso-AZ-Directory.
2. On the top bar click Configure
3. Under the multi-factor authentication section click Manage Service Settings
(Image is an example only, select a user that reflects your lab environment.)
7. On the information screen, review the message and click enable multi-factor auth.
8. Click Close
9. Open a new tab in Internet Explorer and navigate to http://aka.ms/MFASetup Note: If you are signed
in, sign out to continue
10. On the Sign in screen type in the username and password you created earlier (such as
KarenVogue@AzureContoso<ID>.onmicrosoft.com and Passw0rd!) and click sign in.
11. Since this is the first time the user has logged in you will need to configure MFA, click Set it up now
12. Fill in your contact information (phone number of your mobile phone), select the Call me radio
button, and click Contact me
13. Answer your phone when it rings, and listen to the instructions. Press # to finish the authentication
process. On the Additional security verification click Done.
Version 4.4 24
Lab 4: Automating Deployments of SQL and IIS
This lab gives you an opportunity to experience using PowerShell to drive the automation of
deployments.
You can download the full script to run at: http://aka.ms/tiy or at http://aka.ms/lab4script
The script demonstrates automatic deployment of Microsoft Azure Infrastructure Services using
Azure PowerShell. This particular demo illustrates the concept from deploying a set of VMs
forming an application architecture (IaaS) to configure a target runtime environment (PaaS) and
create/start a two-tier application instance (SaaS). What it deploys are not just VMs, but a set
of VMs collectively delivering a data management application as shown below. The value
proposition of this exercise is an end-to-end highly automated deployment of a target
application instance on demand, i.e. application deployment as a service.
Azure Region
The requirements to run this script are:
Service
EP/LB
1. Have Azure PowerShell installed locally
Ref: http://aka.ms/AzureCmdlets WEBFE01 SQL01
2. Be able to log in with an Azure account 1433
The coding style and the organization of this script are for clarity and readability, instead of
efficiency and optimization. Notice that in this script all credentials are provided and passed
as plain text for simplicity. There is very limited error handling. This script is for learning and
training, and not for production use.
Version 4.4 25
APPENDIX - Perform the following tasks in the Azure management portal to
set up your Virtual Machines.
If you would rather us the portal to set up VMs in Azure without PowerShell, you can do so following this
sample guide.
5. Create a new virtual machine using the values in the following table. Please note: You can user your own
username and password, just make sure to remember it!
Property Value
VIRTUAL MACHINE ABC-DC01
NAME
TIER Standard
SIZE A1
USER NAME SysAdmin
NEW PASSWORD and Passw0rd!
CONFIRM
Version 4.4 26