Hybrid Cloud IT Camp Hands-On Labs Contents Lab Requirements ......................................................................................................................................... 2 Getting Set for Success ................................................................................................................................. 2 Concentrate on What You Need Most.......................................................................................................... 2 Lab 1: Building the Foundation ..................................................................................................................... 3 Login to the Azure Portal .......................................................................................................................... 4 Create a new virtual network and subnets for objects............................................................................. 4 Connect to Azure with PowerShell ........................................................................................................... 5 Create a new storage account using PowerShell ...................................................................................... 7 Alternatively - Create a new storage account from the Azure management portal ................................ 8 Create a new service with PowerShell ...................................................................................................... 8 Alternatively - Create a new service from the Microsoft Azure management portal .............................. 9 Lab 2: Building Workloads ............................................................................................................................ 9 Deploy domain controllers in Microsoft Azure ....................................................................................... 10 Preparing to Remotely Connect to Azure Virtual Machines ................................................................... 10 Create users in your Active Directory. .................................................................................................... 12 Explore the virtual machines and connect via RDP ................................................................................ 13 DC01 designated static IP – Using the New Preview Portal.................................................................... 14 Next you will deploy the 2nd domain controller for your forest. ............................................................ 16 Lab 3: Working with Identity....................................................................................................................... 17 Create a new Azure Active Directory environment ................................................................................ 17 Create an Azure Active Directory Administrator account ...................................................................... 18 Set a password for your admin account ................................................................................................. 19 Configure and test the AADSync Service ................................................................................................ 20 Implementing Multi-Factor Authentication............................................................................................ 23 Testing Multi-Factor Authentication....................................................................................................... 23 Lab 4: Automating Deployments of SQL and IIS ......................................................................................... 25 APPENDIX - Perform the following tasks in the Azure management portal to set up your Virtual Machines. .................................................................................................................................................... 26 Version 4.4 1 Lab Requirements The following components are required to successfully complete this Hands-on Lab: A Microsoft Azure Account and Credentials A modern web-browser with HTML5 and JavaScript enabled Remote Desktop Client connection software Internet connectivity Identification for building access 10” or larger screen recommended Your own wireless hotspot (if you have one) The ability to install software (admin rights) for the installation of the Azure PowerShell Module In addition, this hands-on lab guide assumes that lab participants are comfortable with performing the steps involved in implementing Windows Server 2012 and Active Directory in an on-premises datacenter environment. The goal of this lab set up an Active Directory environment in Azure using PowerShell, PowerShell Remoting and if necessary, the Azure portal. Getting Set for Success Throughout this lab you will be required to name items in a unique manner. Wherever you see “XXX” or <ID> replace them with three letters of your choosing, like your initials. Your Azure Region/Location for this IT Camp is: __________________ For your convenience, all the PowerShell code and commands you will need to complete this lab can be found at http://bit.ly/AzureQ4Snippets. You can choose to type the commands individually from the lab guide, copy each line from the file, or copy the entire file into the ISE scripting window for ease of use. Note: You may not have time to complete all labs today. Please finish at home or office if needed. If you have questions or need additional support, email itcamp@microsoft.com, please be as specific as possible and include screenshots of results. If at a camp, include city. Concentrate on What You Need Most Not all parts of the lab are dependent on others, so you can adjust you lab experience to focus on the tasks that interest you the most. If you are interested in seeing automation in action, do: o Lab 4 If you are interested in syncing traditional AD witih Azure AD and/or using Multifactor Authentication, do: o Lab 1 o Lab 2 (deploy 1st DC and configure AD, but skip deploying the 2nd DC Version 4.4 2 o Lab 3 If you are interested in using Availability Sets to take advantage of the Azure SLA and/or to get hands-on with PowerShell, do: o Lab 1 o Lab 2 Lab 1: Building the Foundation In this first lab of building a core IaaS in Microsoft Azure, you will install the Azure Module for PowerShell, connect to your subscription and create the core building blocks for your Azure services: Virtual Network (using the Azure Portal) Storage (using PowerShell) Cloud Service (using PowerShell) The services mentioned above are the core components that provide a foundation for your applications, virtual machines and hybrid connectivity in Azure. Having this well thought out, provides a great architecture for all of your cloud services. Here is a conceptual model of this lab: Version 4.4 3 Login to the Azure Portal In this task you will login into the Azure Portal to ensure your subscription is ready to go. You will find yourself checking the portal to confirm your PowerShell actions and check your work. Perform the following tasks: 1. 2. 3. 4. Open a browser, and then navigate to http://manage.windowsazure.com. Click PORTAL located at the top of the Microsoft Azure site. Log in using your Microsoft Azure credentials for your Microsoft Azure subscription. If this is your first time logging into your Azure management portal, close the WINDOWS AZURE TOUR. Create a new virtual network and subnets for objects First, you will create a Microsoft Azure network object and corresponding subnet. Virtual Network lets you provision and manage virtual networks in Azure and, optionally, link them via secured VPN tunnels with your on-premises IT infrastructure to create hybrid and crosspremises solutions. With virtual networks, IT administrators can control network topology, including configuration of DNS and IP address ranges. You can use a virtual network to: Create a dedicated private cloud-only virtual network Securely extend your data center Enable hybrid cloud scenarios With the virtual network you are creating will provide IP addresses assigned to objects and virtual machines you create in other labs that will be associated with this virtual network. You will also leverage subnets to help organize your IP addresses as well. Perform the following tasks in the Azure management portal. 1. In the Azure management portal (in the leftmost column), scroll to and click NETWORKS. 2. Click NEW (Plus “+” Sign) located at the bottom of the Azure management portal 3. Click CUSTOM CREATE. 4. In NAME, type XXX-VNet and then in LOCATION, select your location, and then click the Next arrow. 5. Set your DNS server to DNS-DC01 with an IP Address of 192.168.10.4. (This is the IP Address of the domain controller you will be creating later in the lab, which will also be handling the DNS for this virtual network.) 6. Click the Right Arrow. 7. In STARTING IP, type 192.168.0.0. 8. In CIDR (ADDRESS COUNT), select /16. Version 4.4 4 9. Under SUBNETS, highlight Subnet-1, and then replace it with Core-Subnet 10. Under STARTING IP, type 192.168.10.0. 11. Under CIDR (ADDRESS COUNT) select /24. 12. Under SUBNETS, click add subnet. 13. Replace Subnet-2 with App-Subnet 14. Set the STARTING IP to 192.168.11.0. 15. Set the CIDR (ADDRESS COUNT) to /24. 16. Click the Complete icon (Check Mark). Connect to Azure with PowerShell Before you can manage virtual machines from PowerShell on your local administration station you need to download the tools. 1. In the Azure portal; click Azure the arrow next to Azure in the upper right corner of the portal then click downloads. You can also get to download directly by navigating to http://azure.microsoft.com/en-us/downloads/ 2. Scroll down to Command-line tools section and under Windows PowerShell, click Install 3. When prompted click run and follow the installation prompts. You may be prompted to download and install additional components. 4. After installation is complete, on your Start Screen or Start Menu locate Microsoft Azure PowerShell ISE and start it. You will want to run ISE as an Administrator. 5. In the scripting pane at the top you can either type the code from this manual or copy in all the code from http://bit.ly/AzureQ4Snippets. Then run the various lines individually or in small groups. 6. You will now need to connect Microsoft Azure PowerShell to your Azure subscription. In your PowerShell session run: Add-AzureAccount Press Enter. Version 4.4 5 7. A small browser windows will appear, prompting for your credentials. Enter your Microsoft Account and Password. 8. Next, you will need set your default subscription. Your subscription will have a friendly name like “Visual Studio Ultimate with MSDN” or “Free Trial”. Find your subscription name with: Get-AzureSubscription 9. Write the name of the Azure Subscription you will be using for the lab here: _____________________________________________________________ 10. Update the script copy with all the variables you will need to customize the lab you’re your deployment. First, replace the words “Free Trial” for the variable $subscrName in the code with the correct name of your subscription. Then go through and make any necessary edits to include your unique identifier. For reference, you will set the following variables: $subscrName = "Free Trial" # Replace with the friendly name of your subscription, if not using the free trial $storageAccountName = "xxxstore" # Storage name must be all lowercase. Replace xxx with your initials or some unique ID $domainCloudService = "XXXdomainservice" # Must be globally unique (used in a URL). Replace XXX with your initials or some unique ID $dcAvalSet = "XXX-DCSet" # Replace XXX with your initials or some unique ID $firstDC = "XXX-DC01" # Replace XXX with your initials or some unique ID $secondDC = "XXX-DC02" # Replace XXX with your initials or some unique ID These variables must match what you configured for your network in Lab #1 $VnetName = "XXX-Vnet" # <-- Edit to match your virtual network name $locationName = "West US" # <-- Edit to match your network location choice $subnet = "Core-Subnet" # <-- Edit if your network configuration first subnet name is different than the lab manual suggested$locationName These variables can be left as they are found in the script. If you edit them, be sure to take note of the values for later. Version 4.4 6 $serverImages = Get-AzureVMImage | Where {$_.ImageFamily -eq "Windows Server 2012 R2 Datacenter" } | sort-object -descending Property PublishedDate $image = $serverImages[0].ImageName $instancesize = "Small” $un = "SysAdmin" # Remember the Username and Password $pwd = "Passw0rd!" # You'll use these creditials to connect to and/or login to your Domain Controllers 11. Select ALL of the variables once they are correct and run those lines as a group. 12. Then select the correct subscription with: Select-AzureSubscription -SubscriptionName $subscriptionName -current You are now ready to use Azure Cmdlets to manage your Azure subscription. Create a new storage account using PowerShell Microsoft Azure Storage is a massively scalable, highly available, and elastic cloud storage solution that empowers developers and IT professionals to build large-scale modern applications. Azure Storage is accessible from anywhere in the world, from any type of application, whether it’s running in the cloud, on the desktop, on an on-premises server, or on a mobile or tablet device. In this lab, you will create a storage account to contain all objects for your Azure services. Your VHDs, which you will create in lab 2 for your Azure virtual machines, will be stored in this storage account. Perform this task from PowerShell ISE on your local workstation. Create your new storage account: New-AzureStorageAccount -StorageAccountName $storageAccountName –Location $locationName Version 4.4 7 Alternatively - Create a new storage account from the Azure management portal 1. 2. 3. 4. 5. 6. 7. In the leftmost column, scroll to and click STORAGE. Click NEW (“+”), located at the bottom of the Azure management portal. Make sure STORAGE is highlighted and click QUICK CREATE In URL, type $storageAccountName (PLEASE NOTE: has to be all lowercase) In LOCATION/AFFINITY GROUP, select the same location you used for your network. In REPLICATION, select Locally Redundant Click CREATE STORAGE ACCOUNT. (Image is an example only, adjust your entries to reflect your lab environment.) Create a new service with PowerShell By creating a cloud service, you are creating a boundary around a group of virtual machines that share the same external IP address and external firewall. When deploying a multi-tier application in Azure, you can define multiple roles to distribute processing and allow flexible scaling of your application. A cloud service consists of one or more web roles and/or worker roles, each with its own application files and configuration. Azure Websites and Virtual Machines also enable web applications on Azure. The main advantage of cloud services is the ability to support more complex multi-tier architectures. In this section you will create a new cloud service to contain your domain controller virtual machines. By assigning your new VMs to this service, they will be able to communicate internally. Perform the following tasks in PowerShell ISE. 1. Set-AzureSubscription -SubscriptionName $subscriptionName –CurrentStorageAccount $storageAccountName Version 4.4 8 2. New-AzureService –ServiceName $domainCloudService – Location $LocationName Alternatively - Create a new service from the Microsoft Azure management portal Perform the following tasks in the Azure management portal. 1. 2. 3. 4. In the leftmost column, scroll to and click CLOUD SERVICES. Click NEW (“+”) located at the bottom of the Azure management portal Make sure CLOUD SERVICE is highlighted and click QUICK CREATE. In URL, type $domainCloudService. NOTE: ID should be between 3-6 alpha-numeric. Must be unique in all of Azure (all customers/all accounts) 5. In REGION OR AFFINITY GROUP, select the same region you used for your network and storage account. 6. Click CREATE CLOUD SERVICE. (Image is an example only, adjust your entries to reflect your lab environment.) Lab 2: Building Workloads Azure virtual machines give you the flexibility of virtualization without spending the time and money to buy and maintain the hardware that hosts the virtual machine. However, you do need to maintain the virtual machine -- configuring, patching, and maintaining the operating system and any other software that runs on the virtual machine. In this lab you are going to deploy 2 virtual machines into Azure, in the same availability set. Domain Controller with Full GUI (DC01) Domain Controller with Server Core (DC02) Version 4.4 9 Deploy domain controllers in Microsoft Azure In this task, you will deploy two virtual machines (VM) to function as a domain controllers in your newly created virtual network created in Lab 1. During the last portion of the lab you will also configure the AD service as the DNS server for the virtual network you created in Lab 1, and you’ll assign it a static IP Address (technically speaking this is a DHCP reservation in the subnet but it will be referred to as a static IP pretty much everywhere in Azure documentation.) Perform the following tasks in PowerShell ISE. Create your first VM in the domain 1. Setup your first VM: $newVM = New-AzureVMConfig -Name $firstDC -InstanceSize $instancesize -Image $image | Add-AzureProvisioningConfig -Windows -Password $pwd -AdminUsername $un | SetAzureSubnet -SubnetNames $subnet 2. Deploy your first VM: New-AzureVM -VMs $newVM -ServiceName $domainCloudService -VNetName $VnetName 3. Move the VM into the Availability Set: Get-AzureVm -ServiceName $domainCloudService -Name $firstDC | Set-AzureAvailabilitySet -AvailabilitySetName $dcAvalSet | Update-AzureVM At this point you have created a single VM in Azure, running Windows Server 2012 R2. No modifications have been made to the OS. Next, you will remotely connect to this VM to install Active Directory and switch the OS to Server Core. Preparing to Remotely Connect to Azure Virtual Machines With the previous download, you installed the Azure Module to manage your Azure subscription. In order to remotely connect to the Virtual Machines you create, you will need to install a connection certificate for each machine you want to connect with. Download the following script from TechNet (https://aka.ms/psremotingscript) and put it someplace easy to access on your local machine. Open this file in another PowerShell ISE scripting tab. You will need to call on this script later once your virtual machines are created. 4. To install the remote access certificate on your local machine, open the script saved earlier in the lab into another tab in PowerShell ISE. 5. Add the variables for your environment at line 70 in the script. Version 4.4 10 $SubscriptionName = $SubscrName $ServiceName = $domainCloudService $Name = $firstDC 6. Run the entire script. It will be saved and you should get a confirmation that the certificate has been imported to your local machine. Now you will be able to remotely connect to your machine via PowerShell. At for these next steps, understand that you are using PowerShell to connect directly to a VM. This VM happens to be in Azure, but these PowerShell commands would work for on-prem machines as well. Note: Make sure your VM has completed configuration and is in the “running” state at this point. 7. Set the variables for your cloud service and server, then prompt for credentials: $uri = Get-AzureWinRMUri -ServiceName $cloudServiceName Name $Name $cred = Get-Credential 8. Start a PS-Session with your remote machine. You will be prompted to enter the username and password you set for the machine. Enter-PSSession -ConnectionUri $uri -Credential $cred You will see your PowerShell prompt change as you connect directly to a single machine instead of your Azure subscription. Next you will install Active Directory and configure some users to use in the next lab. NOTE: Much of this process can be automated by leveraging a custom script extension as a part of the provisioning process. Custom Script Extensions can automatically download scripts and files from Azure Storage and launch a PowerShell script on the VM. These scripts can be used to install additional software components in addition to Active Directory. Custom Script Extensions can be added during VM creation or after the VM has been running. However, in order for you to understand how you can remotely connect to VMs in Azure and perform familiar tasks with PowerShell, you will be performing this process step-by-step. 9. Install Active Directory and Configure the Forest. You will prompted to enter a password for Active Directory Safe mode. Enter the same password you have been using for everything in this lab. For your reference, ForestMode 6 and DomainMode 6 will set the forest and domain at the Server 2012 R2 functional level. Add-WindowsFeature -name ad-domain-services – IncludeManagementTools Version 4.4 11 Install-ADDSForest -DomainName "contosoazure.com" ForestMode 6 -DomainMode 6 Once your VM completes the reboots and is in the running state, DC01 should have the IP address of 192.128.10.4. You can look in the Azure Management Portal to confirm this. Create users in your Active Directory. Once your machine reboots after the installation of Active Directory, you will need to initiate a new remote PowerShell session and add some components to your AD for use in Lab 3. Note: When you are prompted for credentials be sure to enter sysadmin@contosoazure.com as the username because your local Admin account has become a domain administrator for the contosoazure.com domain. 1. Set the variables for your cloud service and server, then prompt for credentials: $uri = Get-AzureWinRMUri -ServiceName $cloudServiceName Name $firstDC $cred = Get-Credential 2. Start a PS-Session with your remote machine. You will be prompted to enter the username and password you set for the machine. Enter-PSSession -ConnectionUri $uri -Credential $cred 3. Create OUs: New-ADOrganizationalUnit –Name “FINANCE” –Path “DC=contosoazure, DC=Com” New-ADOrganizationalUnit –Name “IT” –Path “DC=contosoazure, DC=Com” New-ADOrganizationalUnit –Name “SALES” –Path “DC=contosoazure, DC=Com” 4. Add Users: $newPassword = (Read-Host -Prompt "Provide New Password" -AsSecureString) New-ADUser -Name "Matt Deen" -Path "OU=FINANCE,dc=contosoazure,dc=com" -AccountPassword $newPassword -Department "Finance" -SamAccountName "MattDeen" -Surname "Deen" -GivenName "Matt" -DisplayName "Matt Deen" New-ADUser –Name “Bob Smith” -Path "OU=SALES,dc=contosoazure,dc=com" -SamAccountName "BobSmith" -GivenName "Bob" -Surname "Smith" -DisplayName Version 4.4 12 "Bob Smith" –Department “Sales" -AccountPassword $newPassword New-ADUser –Name “Pat Holden” -SamAccountName "Pat Holden" -GivenName "Pat" -Surname "Holden" -DisplayName "Pat Holden" –Department “Finance" -AccountPassword $newPassword New-ADUser –Name “Dan Chun” -SamAccountName "Dan Chun" GivenName "Dan" -Surname "Chun" -DisplayName "Dan Chun" – Department “Finance" -AccountPassword $newPassword New-ADUser –Name “Karen Vogue” -Path "OU=sales,dc=contosoazure,dc=com" -SamAccountName "KarenVogue" -GivenName "Karen" -Surname "Vogue" DisplayName "Karen Vogue" –Department “Sales" AccountPassword $newPassword 5. Enable a user: Enable-ADAccount –Identity KarenVogue Explore the virtual machines and connect via RDP Now that the virtual machine is created, you want to log on and verify that it looks, feels, and behaves just like any server on your network. Perform the following tasks in the Azure management portal. 1. On the left menu of the Azure management portal, scroll to and click VIRTUAL MACHINES. 2. On the end of the line containing <ID>-DC01, click the DNS Name to open the Cloud Service dashboard. 3. Click on the DASHBOARD tab. o You can review information about the running virtual machines, as well as view the current health. 4. Click the MONITOR tab. o You can view performance and data statistics. 5. Click the INSTANCES tab o Here you can view the fault and update domains assigned to each VM in your Availablity Set. 6. Click DC01 to open the VM dashboard. Version 4.4 13 7. Click the DASHBOARD tab. o You can review information about this specific virtual machine, as well as view its current health. 8. Click the MONITOR tab. o You can view performance and data statistics for this virtual machine. 9. Click the ENDPOINTS tab. o You can configure published endpoints, which are similar to firewall rules, to allow applications to access services running on the VM. 10. Click the CONFIGURE tab. o You can modify the properties of the virtual machine. You can also configure monitoring from multiple locations to ensure your endpoint is operational. 11. Click the DASHBOARD tab. 12. To open a remote desktop connection to the virtual machine, at the bottom of the screen click CONNECT, and then click Open. 13. Click Connect. 14. When prompted, log on as sysadmin@contosoazure.com using Passw0rd! as the password. (Substitute the username and password you used during VM Creation if different than the lab recommendations.) 15. Click Yes. o You are now logged on to the desktop of your newly created virtual machine. 16. Click No when prompted to enable discovery of devices. Once connected, you can confirm the installation of the Active Directory service and the creation of the domain if you desire. DC01 designated static IP – Using the New Preview Portal The new portal offers some great enhancements to managing Azure. It is still in preview, but this task will give you a glimpse into the new portal. You’ll perform a task here that otherwise you would have to use PowerShell for. 1. In the Azure management portal, click on your Account ID (e-mail address) in the upper right hand corner and click on Switch to new portal. Notice a new browser tab automatically opens Version 4.4 14 2. If prompted for your credentials, enter your ID and password to enter the new portal 3. On the left hand toolbar in the portal click Browse and scroll to and select Virtual machines 4. In the Virtual machine list select your <ID>DC01 5. In the DC01 journey pane select SETTINGS 6. In the SETTINGS options select IP addresses 7. In the IP addresses journey, NOTE that the Private IP address is set to Dynamic. Change it to STATIC and press Save. This reserves the IP address for this machine. You may now close the new preview portal tab. Version 4.4 15 Next you will deploy the 2nd domain controller for your forest. First, exit your remote session to DC01 by typing “exit” at the PowerShell prompt for your remote server. You will be returned to your local, Azure-connected session. Create the second VM in the domain. This time you will automatically deploy the machine to the correct Availability Set. Take note of the “AvailabilitySetName” parameter in the NewAzureVMConfig command below: 1. Setup your second VM: $newVM = New-AzureVMConfig -Name $secondDC -InstanceSize $instancesize -Image $image -AvailabilitySetName $dcAvalSet | Add-AzureProvisioningConfig -Windows Password $pwd -AdminUsername $un | Set-AzureSubnet SubnetNames $subnet 2. Deploy your second VM: New-AzureVM -VMs $newVM -ServiceName $domainCloudService Like the first VM, you will need to remotely connect to configure Active Directory and change any roles or features. 3. To install the remote access certificate on your local machine, return to the script saved in the other tab in PowerShell ISE. Edit the variables for your environment to reflect the name of the second machine. $subscriptionName = $subscrName $ServiceName = $domainCloudService $Name = $secondDC 4. Run the entire script. You should get a confirmation that the certificate has been imported to your local machine. 5. Set the variables for your cloud service and server, then prompt for credentials: $uri = Get-AzureWinRMUri -ServiceName $cloudServiceName Name $Name $cred = Get-Credential 6. Start a PS-Session with your remote machine. You will be prompted to enter the username and password you set for the machine. Version 4.4 16 Enter-PSSession -ConnectionUri $uri -Credential $cred 7. Install Active Directory and join the existing domain. You will be prompted for credentials to join the domain (use sysadmin@contososazure.com) and enter a password for the Safe Mode. Add-WindowsFeature -name ad-domain-services – IncludeManagementTools Install-ADDSDomainController -Credential (Get-Credential) -DatabasePath 'C:\Windows\NTDS' -DomainName 'contosoazure.com' -InstallDns:$true -LogPath 'C:\Windows\NTDS' -NoGlobalCatalog:$false -SiteName 'Default-First-Site-Name' -SysvolPath 'C:\Windows\SYSVOL' -NoRebootOnCompletion:$true -Force:$true -Verbose 8. (Optional) Change from Full GUI to Server Core. Be patient, this takes a while. Once the machine is back up and running, connect to it via Remote Desktop to verify that it’s just the core OS. You can continue on to Lab 3 while this reconfiguration is taking place. Remove-WindowsFeature -name User-Interfaces-Infra Restart-Computer –Force Lab 3: Working with Identity Azure Active Directory is a service that provides identity and access management capabilities in the cloud. In much the same way that Active Directory is a service made available to customers through the Windows Server operating system for on-premises identity management, Azure Active Directory (Azure AD) is a service that is made available through Azure for cloud-based identity management. Azure AD can be used as a standalone cloud directory for your organization, but you can also integrate existing on-premises Active Directory with Azure AD. Some of the features of integration include directory sync, password sync and single sign-on, which further extend the reach of your existing on-premises identities into the cloud for an improved admin and end user experience. Create a new Azure Active Directory environment In this task, you will create a new Azure Active Directory tenant. Perform the following tasks in the Azure management portal. 1. 2. Version 4.4 In the Azure management portal, click ACTIVE DIRECTORY. Click NEW, click APP SERVICES, click ACTIVE DIRECTORY, click DIRECTORY, and then click CUSTOM CREATE. 17 3. 4. 5. In NAME, type Contoso-AZ-Directory. In DOMAIN NAME, type AzureCONTOSO<ID> (where <ID> is your unique ID). In COUNTRY OR REGION, select UNITED STATES, and then click the Complete icon. o If you are not in the United States, select it anyway to ensure the consistency of the lab steps. Create an Azure Active Directory Administrator account In this task, you will create a user account to serve as the administrator of your Azure Active Directory service. Perform the following tasks in the Azure management portal. 1. 2. 3. 4. In the Azure management portal, click ACTIVE DIRECTORY, and then click Contoso-AZ-Directory. Under Contoso-AZ-Directory, click USERS, located on the top menu. In the bottom bar, click ADD USER. In USER NAME, type AADAdmin, and then click the Next arrow. 5. 6. 7. In FIRST NAME, type AAD, and then in Last Name, type Admin. In DISPLAY NAME, type AADAdmin. In ROLE, select Global Administrator. Version 4.4 18 8. In ALTERNATE EMAIL ADDRESS, type any valid e-mail address you have access to, and then click the Next arrow. 9. Under Get temporary password, click create. 10. MAKE NOTE of this password as you will need it later. 11. Click the Complete icon. 12. Note the USER NAME value of the user; you will need this later. o The USERNAME value will be based on the account you used to manage Microsoft Azure. Set a password for your admin account In this task, you will perform an initial logon to set the password for the admin account. Perform the following tasks on your local workstation. 1. 2. 3. Version 4.4 Close out of all web browser sessions or open an “In-Private” browser session. Using Internet Explorer, navigate to manage.windowsazure.com. Log in as AADAdmin using the Unique <ID> and password you noted previously. i.e. AADAdmin@AzureContoso<ID>.onmicrosoft.com o You will need to use the username value you noted earlier. o You may need to sign out first. When prompted, change the password to Passw0rd! and then click Update password and sign in. o You will see a message “No subscriptions found.” This is expected. The user is not permitted to manage subscription level details. 19 4. Close Internet Explorer. Configure and test the AADSync Service In this task, you will configure Windows Server 2012 R2 and create a new user to test your synchronization when you enable DirSync, and then perform an initial sync to populate your Azure Active Directory service with copies of your local user accounts. Connect using RDP to DC01: 1. 2. 3. 4. 5. 6. 7. 8. 9. Close all web browsing sessions then reopen Internet Explorer and navigate to http://Manage.WindowsAzure.com. Log in with your Microsoft account used in the previous labs, not the AD administrator account from the previous section. On the left menu of the Azure management portal, click VIRTUAL MACHINES. Next to DC01, click the DC01 computer name to open the Virtual Machine Quick Start or Dashboard. Click DASHBOARD. On the bottom bar, click CONNECT, and then click Open. Click Connect. When prompted, log on as sysadmin@contosoazure.com using Passw0rd! as the password. Click yes. o You are now logged on to your virtual machine. 8. Open Server Manager and click Local Server on the left hand navigation pain. 9. Click on IE Enhanced Security Configuration and click on. 10. In the Security Configuration screen click off for both administrators and users. This is just for testing in this lab. 11. Click OK. Version 4.4 20 12. In Server Manager click tools and select Active Directory Users and Computers 10. As you browse the Users and Computers, you should see the names of the users you created via PowerShell. 11. Still on DC01: Using Internet Explorer, navigate to http://Azure.Microsoft.com 12. Log in as your subscription user, not the user you just created 13. In the Azure management portal, scroll to and click on ACTIVE DIRECTORY. 14. Click Contoso-AZ-Directory, and then click Directory Integration. 15. Next to DIRECTORY SYNC, click Activated. 16. Click Save, and then click Yes o Wait for the job to complete before proceeding. 17. Open Internet Explorer on the Domain Controller and go to http://aka.ms/azureadsync to download the Microsoft Azure Active Directory Sync Services 18. Click download 19. Save the tool to the desktop of the Domain Controller 20. On the DC’s desktop, right click on the MicrosoftAzureADConnectionTool and select Run As Administrator. This will install and configure the tool. 21. Check the I agree to the terms and click Install Version 4.4 21 NOTE: dirSync may take about 10 minutes or longer to install. 22. In User name, type AADAdmin@AzureContoso<ID>.onmicrosoft.com, replacing <ID> with the unique ID for your domain name. 23. In Password, type Passw0rd! and then click Next. 24. In the Forest type in ContosoAzure.com 25. In User name, type contosoazure\sysadmin. 26. In Password, type Passw0rd! and then click Add Forest 27. Click Next. 28. 29. 30. 31. On User Matching, leave the defaults and click Next On optional features select Password synchronization and click Next On the Configure screen review the options and click Configure.. When configuration has completed review the screen, verify Synchronize now is selected and then click Finish. 32. Switch to your Azure management portal, and then click ACTIVE DIRECTORY. 33. Click the Domain that synchronized, and then click Users and look for the users you created earlier o You should eventually see the users you created in AD now synchronized to your Azure Active Directory. Version 4.4 22 Implementing Multi-Factor Authentication Multi-factor or two-factor authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods: Something you know (typically a password) Something you have (a trusted device that is not easily duplicated, like a phone) Something you are (biometrics) The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the trusted device. Conversely, if the user happens to lose the device, the finder of that device won't be able to use it unless he or she also knows the user's password. Azure MultiFactor Authentication is the multi-factor authentication service that requires users to also verify sign-ins using a mobile app, phone call or text message. It is available to use with Azure Active Directory, to secure on-premise resources with the Azure Multi-Factor Authentication Server, and with custom applications and directories using the SDK. In this task, you will configure Multi-Factor Authentication (MFA) with Microsoft Azure. To complete this module fully, you need to have a phone which can send and receive text messages or calls. You will configure this lab to use your phone as a second authentication factor this is done via replying to a system-generated text or voice message. We will start by enabling the MFA service 1. 2. 3. 4. 5. 6. Using Internet Explorer, navigate to manage.windowsazure.com. Log on using your tenant account. In Microsoft Azure, click ACTIVE DIRECTORY. Click MULTI-FACTOR AUTH PROVIDERS, and then click CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER. In NAME, type Contoso-MFA, ensure the correct subscription is selected (If you have multiple subscriptions tied to your live ID). For directory select Contoso-AZ-Directory and then click CREATE. Testing Multi-Factor Authentication In this task, you will test multi-factor authentication. Ensure you have the phone readily available as you will have a limited time to receive and reply to the text message generated by Microsoft Azure. Version 4.4 23 Perform this task on your local machine. 1. 2. 3. In the Microsoft Azure active directory portal click directory and click Contoso-AZ-Directory. On the top bar click Configure Under the multi-factor authentication section click Manage Service Settings 4. 5. 6. If prompted enter your tenant credentials In multi-factor authentication click users on the top navigation bar. Select one of the users from your sync from Active Directory and click Enable under quick steps (Image is an example only, select a user that reflects your lab environment.) 7. 8. 9. On the information screen, review the message and click enable multi-factor auth. Click Close Open a new tab in Internet Explorer and navigate to http://aka.ms/MFASetup Note: If you are signed in, sign out to continue 10. On the Sign in screen type in the username and password you created earlier (such as KarenVogue@AzureContoso<ID>.onmicrosoft.com and Passw0rd!) and click sign in. 11. Since this is the first time the user has logged in you will need to configure MFA, click Set it up now 12. Fill in your contact information (phone number of your mobile phone), select the Call me radio button, and click Contact me 13. Answer your phone when it rings, and listen to the instructions. Press # to finish the authentication process. On the Additional security verification click Done. Version 4.4 24 Lab 4: Automating Deployments of SQL and IIS This lab gives you an opportunity to experience using PowerShell to drive the automation of deployments. You can download the full script to run at: http://aka.ms/tiy or at http://aka.ms/lab4script The script demonstrates automatic deployment of Microsoft Azure Infrastructure Services using Azure PowerShell. This particular demo illustrates the concept from deploying a set of VMs forming an application architecture (IaaS) to configure a target runtime environment (PaaS) and create/start a two-tier application instance (SaaS). What it deploys are not just VMs, but a set of VMs collectively delivering a data management application as shown below. The value proposition of this exercise is an end-to-end highly automated deployment of a target application instance on demand, i.e. application deployment as a service. Azure Region The requirements to run this script are: 1. Have Azure PowerShell installed locally Ref: http://aka.ms/AzureCmdlets 2. Be able to log in with an Azure account Service EP/LB SQL01 WEBFE01 1433 Here are the steps to run the script: 1. Access the script at http://aka.ms/TIY and click Lab4 Script. 2. Click RAW to open as text. 3. Ctrl-a to select all and Ctrl-c to copy. 4. Start a PowerShell ISE session as administrator on your local desktop. 5. If do not see the script pane, Ctrl-r to show it. 6. Click the white space of the script pane and Ctrl-v paste the script. 7. Save the script to your intended location. 8. Press F5 to run the script. 9. Follow the screen output and respond to the prompts. 10. Log in the Contoso data management app with 12345 as the password and test the application. 11. Answer yes or no in the ISE session to delete/keep the deployment upon finishing your tests. The coding style and the organization of this script are for clarity and readability, instead of efficiency and optimization. Notice that in this script all credentials are provided and passed as plain text for simplicity. There is very limited error handling. This script is for learning and training, and not for production use. Version 4.4 25 APPENDIX - Perform the following tasks in the Azure management portal to set up your Virtual Machines. If you would rather us the portal to set up VMs in Azure without PowerShell, you can do so following this sample guide. 1. 2. 3. 4. In the Azure management portal, click VIRTUAL MACHINES. Click NEW (Plus “+” Sign) located at the bottom of the Azure management portal Click COMPUTE, click VIRTUAL MACHINE, and then click FROM GALLERY. In Choose an Image, click Windows Server 2012 R2 Datacenter, and then click the Next arrow. 5. Create a new virtual machine using the values in the following table. Please note: You can user your own username and password, just make sure to remember it! Property VIRTUAL MACHINE NAME TIER SIZE USER NAME NEW PASSWORD and CONFIRM Value ABC-DC01 Standard A1 SysAdmin Passw0rd! 6. 7. then click the Next arrow On the Virtual machine configuration page 3, in CLOUD SERVICE, select the correct cloud service or create a new one based on your lab instructions. o ABC-VNet will be automatically selected. If you do not have ABC-VNet available, you likely have the ABC-VNet in a different Location. Go back and fix location to make sure it’s the same. 8. In STORAGE ACCOUNT, select <ID>storage (From Lab 1) o If your storage account is not in the list, you may have to cancel out of this wizard, wait a few minutes for it to finish building, and try again. 9. In REGION/AFFINITY GROUP/VIRTUAL NETWORK, verify that ABC-VNet is selected. 10. In VIRTUAL NETWORK SUBNETS , verify that the correct subnet is selected (either Core-Subnet or AppSubnet), and then click the Next arrow. 11. Click the Complete icon. Version 4.4 26