Build a PDC in Azure with DSC
There are a lot ARM templates out there can do this. But in this post, we will go through the nitty gritty of using DSC to automate the PDC setup. Before we begin, I assume you already know what DSC is and does. Otherwise, check it out here.
First, let’s build a new VM in Azure with these PowerShell commands. In this case, the VM will have direct Internet and can be accessed via Internet directly. Just to state here that this is definitely not the practice you want to adopt in production.
Next we need to create an Automation Account in Azure. I am sure you know how to get that done.
As you are already in the portal, let’s get all the prerequisites ready before upload the DSC configuration.
First, go to Modules in the Automation Account and install following modules, if not already installed. They can be imported directly from Gallery.
Next, go to Credentials in the Automation Account and create following two credentials. The reason behind this is well explained in this Stackoverflow article.
- DCcred – Domain admin account
- DCRecoveryCred – AD Recovery Password, this one you can put anything in the username, as it will not be used
Now we can start write DSC for the PDC. Below is the code. Save it as a ps1 file. You will notice it requires all those 3 modules we just installed in Azure Automation and the PSCredential it pulls from the Automation Account.
Apart from install the necessary roles and features, another thing worth noting is the configuration to check and use a 2nd disk for the NTDS log files. This is due to the factor that Azure OS disk by default has writing cache feature enabled, which could cause data corruption on AD DS. Here is the MS document supporting this argument.
Now, our original VM created with PowerShell does not have a 2nd disk attached. Let’s use the commands below to achieve that.
Next we upload our DSC script to Azure.
After upload the script, we need to compile it so it can be pushed to the Azure Windows VM. This is done through the PowerShell script below. As you can see, we need to specify the parameters and configData.
If all goes well, you should see something like below.
Next, we need to apply the complied configuration to the node (Windows VM). You will need to reboot the server after the initial DSC push. This is to apply those roles and features.
Once the configuration is applied, it will take a while for Azure Automation to get the final status.