Microsoft Windows: Extending Active Directory

to Oracle Cloud Infrastructure

Quick Start White Paper
ORACLE WHITE PAPER | JUNE 2017 | VERSION 1.1
Disclaimer
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

Table of Contents

Disclaimer 1

Assumptions 3

Target Audience 3

Introduction 4

Setting up the network environment 5

Creating the Security Lists 5

Create the Route Table 5

Create Security List Rules 5

Creating the Subnets 6

Instances 7

Configuring the Domain Controllers 8

Installing the server roles 8

Configure DNS 11

Join the domain 13

Promote the domain controller 15

Testing Active Directory 17

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

Assumptions
Consumers of this document should:

» Be familiar with the fundamentals of the Oracle Cloud Infrastructure:

» https://docs.us-phoenix-1.oraclecloud.com/
The Oracle Cloud Infrastructure walkthrough is highly recommended if this is the first time you have used
the platform:
» https://docs.us-phoenix-1.oraclecloud.com/Content/GSG/Reference/overviewworkflow.htm
» Have an existing Virtual Cloud Network (VCN) already created and configured:
» https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/managingVCNs.htm
» Have a VPN or FastConnect connection fully configured between the on-premises environment and your VCN:
» FastConnect: https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Concepts/fastconnect.htm
» VPN: https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/managingIPsec.htm
» Have a basic understanding of Active Directory:
» Active Directory key concepts

Target Audience
This whitepaper is targeted at customers who would like to understand how to extend their on-premises Active
Directory environment to Oracle Cloud Infrastructure.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

Introduction
This whitepaper walks you through the process of extending your Windows Active Directory infrastructure in
Oracle Cloud Infrastructure. Two read-only domain controllers will be installed, each in different Availability
Domains (ADs) (for redundancy). A third system will be used as a test server to ensure that you can both join to
and log in to the domain controllers running in Oracle Cloud Infrastructure.

In order for you to accomplish this, several assumptions are made:

- A secure (nonpublic) connection exists between your on-premises environment and Oracle Cloud
Infrastructure (this can either be a FastConnnect or IPSec VPN connection, as shown in the
diagram below).

- You have a domain admin account in the on-premises Active Directory environment (or an account
that has permission to both join the domain and install a domain controller).

Best Practice

The domain controllers should not be accessible externally from the internet. Allowed access should only be from
specific IP addresses from the on-premises network. These IP addresses should include the current on-premises
Active Directory controllers and any Administrative desktops that will be used to create/manage the domain
controllers

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

Setting up the network environment
This whitepaper assumes that a VCN has already been configured and there is sufficient IP address space to create
at least 2 new subnets. These subnets (as illustrated in the diagram above) will be used to host the 2 read-only
domain controllers created in the steps below. Because subnets are associated with Availability Domains (ADs),
this ensures that each of the domain controllers reside in different ADs, thereby removing a single point of failure in
the Active Directory environment. In the examples that follow, an IP space of 10.x.x.x is assumed.

Each of the subnets will require a route table and at least one security list. The route table for the domain controller
subnets should already exist since your VCN is already connected to your on-premises environment using this route
table. If you don’t already have a route table that can be used for the test server (assuming it requires internet
access), you can create one as outlined below.

Creating the Security Lists

You need at least two security lists: one for the Active Directory domain controllers and one for the test server. This
section will only create the security lists themselves and not the security list rules (those are outlined later in this
whitepaper).

Create two security lists:

 Production - Admin (Public)

 Production - Applications (Private)

Best Practice

Always be as prescriptive in your naming of Oracle Cloud Infrastructure components as you can. This will make
it easier in the future when you have to revisit an environment.

Create the Route Table

Next, create a route table that can be used for the test. This route table will be used to allow the test server to route
to the Internet. The route table used for the domain controllers should route traffic to your on-premises network.

Create the following route table:

 Production - Application (Private)

Create Security List Rules

Active Directory uses a number of protocols to communicate, including RPC, NetBIOS, SMB, LDAP, Kerberos,
WINS and DNS. While your configuration may only use some of these, all are listed here. For example, if WINS is
not used in your environment, you can remove those from the list.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

As stated in the best practice section, all the domain controllers should be in a subnet that either has no external IP
addresses or has no access from the Internet. Due to this, you may want to just enable all ports to communicate
between your subnets and the Active Directory subnets. If you choose to do this, however, be aware that this still
opens potential paths of attack from those subnets. Therefore, it is a best practice to only open the ports listed below
between the subnets:

Name Protocol Port

DNS TCP, UDP 53

LDAP TCP, UDP 389

LDAP over SSL TCP 636

Global catalog LDAP TCP 3268

Global catalog LDAP over SSL TCP 3269

Kerberos TCP, UDP 88

RPC endpoint mapper TCP, UDP 135

NetBIOS name service TCP, UDP 137

NetBIOS datagram service UDP 138

NetBIOS session service TCP 139

SMB over IP (Microsoft-DS) TCP, UDP 445

WINS resolution TCP, UDP 1512

WINS replication TCP, UDP 42

Create new ingress rules on the Production Active Directory security list to allow the required port communication
into the new Active Directory subnets (make sure these rules exist to allow traffic between the two domain controller
subnets). Also make sure that you enable TCP port 3389 (RDP) from the internal on-premises network to all three
subnets.

Creating the Subnets

As mentioned previously, you will need at least 2 subnets (a third subnet in the third Availability Domain can be
used for extra availability of the Active Directory environment). The subnets for this whitepaper are:

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 Availability
Name CIDR Block Route Table Security Lists
Domain

Production - PHX-AD-1 10.0.1.0/24 Production - Admin Production - Admin

Admin - PHX-AD-1 (Private) (Private)

Production - PHX-AD-2 10.0.2.0/24 Production - Admin Production - Admin

Admin - PHX-AD-2 (Private) (Private)

Production – PHX-AD-1 10.0.10.0/24 Production - Production -

Application - PHX- Application (Private) Application
AD-1 (Private)

Instances
Our environment requires three instances. Two will be used for the Active Directory domain controllers and the third
will be used as a test server.

Use the following properties to create the instances (the instance shape we used for this white paper
(VM.Standard1.4) is a recommendation, you can scale it up or down as you deem fit):

Name Image Shape Availability Domain Subnet

DC-1 Windows-Server- VM.Standard1.4 PHX-AD-1 Production Active Directory -

2012-R2- PHX-AD-1
Standard-Edition-
VM

DC-2 Windows-Server- VM.Standard1.4 PHX-AD-2 Production Active Directory -

2012-R2- PHX-AD-2
Standard-Edition-
VM

Test-Srv Windows-Server- VM.Standard1.4 (Dependent on your (Dependant on your

2012-R2- network configuration) network configuration)
Standard-Edition-
VM

For each instance, record the RFC1918 IP addresses:

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 Instance RFC1918 IP

DC-1

DC-2

Test-SRV

Configuring the Domain Controllers

You are now ready to install the appropriate roles and features on the servers and promote them to Read Only
Domain Controllers. To do that, you will need to complete the following steps:

1. Install Active Directory Domain Services and DNS Server roles.

2. Configure the DNS server.

3. Join the domain.

4. Promote the server to a read-only domain controller.

Installing the server roles

For this server to be promoted to a domain controller, you need to install the Active Directory Domain Services
role. You can also install the DNS Server role if you want to replicate some of the DNS entries from your on-
premises DNS servers. This role is optional, but is covered in the instructions below.

Information needed:

1. Credentials for Windows OPC account.

Install the Active Directory Domain Services Role:

1. Log in to the first instance that is to be promoted to a domain controller, using the OPC user credentials
(administrator user).

2. Run Server Manager.

3. Click Add Roles and Features.

4. Click Next until you get to the Server Role dialog.

5. Select the Active Directory Domain Services checkbox.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 6. In the dialog box that appears, click the Add Features button.

7. (Optional) Select the DNS Server checkbox.

8. In the dialog box that appears, click the Add Features button.

Note: If you selected to install the DNS Server role, you will get a warning dialog box informing you that
no static IP addresses were found on the computer. Because the IP address associated with this
instance will be associated with it for the life of the instance, you can click the Continue button.

9. Once these 2 options have been selected, click Next to continue:

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 10. Click Next until you get to the Confirmation dialog. Check Restart the destination server automatically
if required (accept the pop up dialog box) and click Install:

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 11. The installation of the new roles will begin. Once the installation is complete, you can click Close to
complete the Add roles and features wizard.

Repeat the steps above for the second domain controller.

Configure DNS
Before you can join the domain and promote the domain controller, you need to reconfigure the DNS server to point
to the on-premises Active Directory DNS server. (Another option is to create a DNS server in the Oracle Cloud
Infrastructure environment that can receive a Zone transfer from the on-premises DNS servers. This will allow you to
use the Oracle Cloud Infrastructure DNS server to join the domain.) Having the DNS server on the soon-to-be
domain controller map to the on-premises DNS server will allow the server to resolve the domain information and
join the domain.

Information needed:

1. Credentials for Windows OPC account.

2. IP address(es) of the on-premises DNS server(s).

Configure the on-premises DNS server:

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 1. Log in to the first system as the OPC user.

2. Right-click the Network icon in the right corner of the screen and choose Open Network and Sharing
Center.

3. Click Change adapter settings in the left pane.

Note: The options appearing in the Network Connections window discussed here are for instances
launched as Virtual Machine instances. If you launched the Windows servers as Bare Metal instances, the
name of the adapter will be different, however, the steps are the same regardless of instance type.

4. Right-click the Ethernet network adapter (it should be labeled “Intel(R) 82599 Virtual function”) and
choose Properties. (For Bare Metal instances, it should be labeled “Intel(R) Ethernet Server Adapter
X520-2” or similar.)

5. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

6. Choose Use the following DNS server addresses.

7. Enter the IP address(s) of the on-premises DNS server(s) and click OK.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 8. Click Close.

9. You can test that the DNS server is working by either navigating to a public website (assuming that your
instance(s) have Internet access) or by running the nslookup command from a command prompt.

Repeat the steps above for the second domain controller.

Join the domain

Now that the DNS server is configured on your instance, you can join the domain.

Information needed:

1. Credentials for Windows OPC account.

2. Domain credentials for an account that has permission to join the domain.

3. The Fully Qualified Domain Name (FQDN) of the domain to be joined.

Join the domain:

1. Log in to the first system as the OPC user.

2. Run Windows Explorer.

3. Right-click This PC and choose Properties.

4. In the Computer name, domain, and workgroup settings section, click Change settings.

5. Click Change.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 6. Select the Domain radio button.

7. Enter the FQDN name of the domain that you are joining and click OK.

8. If the DNS server is configured correctly, you should be prompted with a dialog box to enter the domain
administrator credentials. Enter the credentials and click OK.

9. If the credentials are correct and have the appropriate permissions, you should receive a Welcome to the
… domain message.

10. Click OK to close the dialog.

11. Another dialog box notifying you that you need to reboot the server will be displayed, click OK.

12. Click Close to close the System Properties control panel.

13. Click Restart Now to restart the server

Repeat the steps above for the second domain controller.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

Promote the domain controller

Information needed:

1. Domain credentials for an account that has domain administrator permission to promote a server as a
domain controller.

Promote the server to a read-only domain controller:

1. Log in to the first system as a domain administrator (or account that has equivalent permissions). You will
need to change the username from “.\opc” to “your_domain\your_domain_admin”

2. Run Server Manager.

3. You should notice a yellow warning notification icon. Click it and you should see a message stating that
configuration is required for Active Directory Services. Click Promote this server to a domain controller.

4. In the Active Directory Domain Services Configuration Wizard, make sure that Add a domain controller
to an existing domain is selected, the correct domain is listed in the Domain field, and the credentials
displayed are correct, and click Next.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 5. If this domain controller is to become a read-only domain controller, make sure you check the Read only
domain controller (RODC) checkbox, otherwise, leave the checkbox unchecked.

6. Enter and confirm a password for Directory Services Restore Mode (DSRM) and click Next.

7. If you chose to install a read-only domain controller, select Delegated administrator account and list the
account(s) that are allowed or denied from replicating passwords to this domain controller and click Next.

8. Click Next until you get to the Prerequisites Check step. You may be presented with some warnings on
this screen, review the warnings and click Install.

9. The server will reboot at the end of the installation process.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

Testing Active Directory
Your Oracle Cloud Infrastructure tenancy should now have two read-only domain controllers and you can now test if
these domain controllers can be used to both join the domain from the tenancy, and log in to your servers using the
domain credentials.

Configure the test instance to use the newly created domain controllers as the DNS server:

1. Log in to the test system as the OPC user.

2. Right-click the Network icon in the right corner of the screen and choose Open Network and Sharing
Center.

3. Click Change adapter settings in the left pane

Note: The options appearing in the Network Connections window discussed here are for instances
launched as Virtual Machine instances. If you launched the Windows servers as Bare Metal instances, the
name of the adapter will be different, however, the steps are the same regardless of instance type.

4. Right-click the Ethernet network adapter (it should be labeled “Intel(R) 82599 Virtual function”) and
choose Properties. (For Bare Metal instances, it should be labeled “Intel(R) Ethernet Server Adapter
X520-2”, or similar.)

5. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 6. Choose Use the following DNS server addresses.

7. Enter the IP address(s) of the newly created domain controllers (these are the RFC1918 IP addresses you
recorded earlier and click OK.

8. Click Close.

Next, you can join the test server to the domain:

1. Run Windows Explorer.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 2. Right-click This PC and choose Properties.

3. In the Computer name, domain, and workgroup settings section, click Change settings.

4. Click Change.

5. Select the Domain radio button.

6. Enter the FQDN name of the domain that you are joining and click OK.

7. If the DNS server is configured correctly, you should be prompted with a dialog box to enter the domain
administrator credentials. Enter the credentials and click OK.

8. If the credentials are correct and have the appropriate permissions, you should receive a Welcome to the
… domain message.

9. Click OK to close the dialog.

10. Another dialog box notifying you that you need to reboot the server will be displayed. Click OK.

11. Click Close to close the System Properties control panel.

12. Click Restart Now to restart the server.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

Once the server has restarted, you can test that it is now part of the domain by using remote desktop to connect to
the server and log in using your domain account rather than the local OPC account.

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE

 Oracle Corporation, World Headquarters Worldwide Inquiries
500 Oracle Parkway Phone: +1.650.506.7000
Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

CONNECT W ITH US

blogs.oracle.com/oracle
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
facebook.com/oracle warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
twitter.com/oracle
means, electronic or mechanical, for any purpose, without our prior written permission.

oracle.com Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116

Microsoft Windows: Extending Active Directory to Oracle Cloud Infrastructure

June 2017
Author: Barry Shilmover ([email protected])

MICROSOFT WINDOWS: EXTENDING ACTIVE DIRECTORY TO ORACLE CLOUD INFRASTRUCTURE