I’ve always kept a fairly extensive home lab which I use for testing purposes. This lab started out as with Windows NT and had involved itself to Windows 2012 R2. A few lingering issues from over the years prompted me to rebuild my lab from the ground up recently, so I decided to document the journey. This prompted me to build upon my old “Home Lab Secrets” Series.
This new series will cover areas from the initial build out of an On-Premise Lab that is connected via VPN to an Azure Subscription all the way up to deploying an internet ready Exchange 2016 Server running in Hybrid Configuration Mode with Office 365. During this journey we will cover some of the technologies listed below:
- Deploying On-Premise Infrastructure
- Azure to On-Premise VPN Deployment
- Active Directory
- Certificate Authority
- Remote Desktop
- Exchange 2016
- ADFS/Web Application Proxy
Since this is a lab you will likely be deploying your servers on a Virtual Platform. For my lab I used Hyper-V 2012 R2, but this article can definitely be leveraged regardless of the Virtual Platform.
Deploying On-Premise Infrastructure
Lets get started with deployment of our On-Premise Router. The requirements to complete this lab are listed below:
- Multi-Homed Windows 2012 R2 Server with at least 1GB of RAM (On-Premise Router)
- On-Premise Windows 2012 R2 VM (On-Premise Domain Controller)
- Azure Windows 2012 R2 VM (Azure Domain Controller)
The Router should have 1 NIC joined to the Internal Network which will be on the same subnet as your servers and workstations and 1 NIC joined to the External Network connected to your ISP.
The first thing we will need to do is configure our Internal NIC with an Internal IP Address. For this lab we will be using 192.168.1.x for the internal network as shown in the image above. Follow the steps below to configure your Internal IP address.
- Right-click on the Windows Logo and click on Run.
- Enter ncpa.cpl then click OK.
- Right-click on Ethernet 2 then click Rename and enter Internal.
- Right-click on Ethernet then click Rename and enter External.
- Right-click on Internal then click Properties.
- Under the This connection uses the following items: section highlight Internet Protocol Version 4 (TCP/IPv4) then click Properties.
- Select Use the following IP address: and enter the following:
8. Click OK, then Close.
9. Right-click on External then click Properties.
10. Under the This connection uses the following items: uncheck the following options then click OK, Close:
- Client for Microsoft Networks
- File and Print Sharing for Microsoft
Next need to identify the Public IP Address provided by your ISP on your external adapter. Since this lab is based on your External Connection being directly bound to your Windows 2012 R2 router, you can obtain this by running an ipconfig on your router:
For this lab my ISP has given me the 98.172.27.234 address so this will be my Endpoint for my On-Premise Machines.
Creating Azure Networks
We will now need to login to our Azure Subscription. If you do not already have an Azure Subscription you can sign up for a free trial using the link below:
https://azure.microsoft.com/en-us/free/
Once you get an Azure Subscription we need to login to the portal by accessing the URL listed below from your On-Premise Router:
https://portal.azure.com
The first thing we will want to do is create a Resource Group. Resources Groups are used to group Azure Resources such as Virtual Machines, Virtual Networks, Network Security Groups to name a few. The object we will create within our Azure Subscription is our Resource Group. To do this follow the steps below:
1. In the Left-Pane click on Resource groups.
2. In the Top-Pane click on + Add.
3. At the Resource group screen enter a name under Resource group name and select a Resource group location of your choice then click Create as shown below:
4. On the Left-Pane click on +Add | Networking | Virtual network.
5. At the Virtual network screen click Create.
We will now need to create our Virtual network within Azure. An Virtual network within Azure is a network grouping of Azure VM’s that you would like to communicate with each other but isolate for other Azure VM’s. Let’s get started and create our first Virtual network.
6. Under Virtual networks click + Add.
7. In the Left-Pane click + | Networking | Virtual network.
8. At the Virtual network screen click Create.
9. At the Create virtual network screen enter the details shown below then click Create.
10. In the Left-Pane click + | Networking then scroll down and select Virtual network gateway.
11. At the Create virtual network gateway enter KHL-Azure-GW under Name then click on Virtual network and select KHL-Azure.
12. Click on Public IP address, under Choose public IP address select Create new, under Create public IP address click OK, then Create.
!!!Note: This process can take up to 30-45 minutes.
13. In the Left-Pane click + | Networking | Local network gateway.
14. At the Create local gateway network screen enter the following Name, IP address, Address space and select Killer-Home-Lab as the Resource Group then click Create as shown below:
15. In the Left-Pane click + | Networking then scroll down and select Connection.
16. Under Basics under Connection type select Site-to-site (IPsec), then select Killer-Home-Lab for the Resource group then click OK.
14. Under Settings click on Virtual network gateway and select KHL-Azure-GW.
15. Under Settings click on Local network gateway and select KHL-OnPrem.
16. Under Settings under Shared key (PSK) enter a key that matches they description then click OK.
17. At the Summary screen click OK.
Now that we have created our Azure side of our VPN we will need to go to our On-Premise Router and configure the other half of the VPN. Let’s head over to our On-Premise Windows Server 2012 R2 Router and configure it following the steps below:
1. Log-onto On-Premise Router.
2. From the Taskbar right-click on the Powershell Icon and select Run as administrator.
3. Within the Elevated Powershell enter the following commands:
Import-Module ServerManager
Install-WindowsFeature -Name directaccess-vpn, RSAT-RemoteAccess-Mgmt
Import-Module RemoteAccess
Install-RemoteAccess -VpnType VpnS2S
Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly -NumberOfTries 3 -ResponderAuthenticationMethod PSKOnly -Name [KHL-Azure-GW-IP] -Destination [KHL-Azure-GW-IP] -IPv4Subnet @(“192.168.111.0/24:100”) -SharedSecret [SHAREDKEY]
Set-VpnServerIPsecConfiguration -EncryptionType MaximumEncryption
Set-VpnS2Sinterface -Name [KHL-Azure-GW-IP] -InitiateConfigPayload $false -Force
Connect-VpnS2SInterface -Name [KHL-Azure-GW-IP]
Now that our connection has been configured on both sites we will be creating our first
The first thing we have to do to allow On-Premise Servers to reach the VPN is Configure their IP’s on the same subnet as the On-Premise Router. We will also need to make its Default Gateway uses the Internal IP Address of the On-Premise router.
Let’s configure our IP settings on our On-Premise Server. Follow the steps below to do this:
- Log onto your Spare On-Premise.
- Right-click on the Windows Logo and click on Run.
- Enter ncpa.cpl then click OK.
- Right-click on Ethernet then click Properties.
- Under the This connection uses the following items: section highlight Internet Protocol Version 4 (TCP/IPv4) then click Properties.
- Select Use the following IP address: and enter the following:
7. Click OK, then Close.
By default our local Administrator account is “Administrator”. If we were to promote this server as the 1st Domain Controller in our forest this account would become our 1st Domain Admin. Since we don’t want any of our Domain Admin accounts to be “Administrator”, lets change it before we move on.
1. Right-click on the Windows Logo and click on Run.
2. Enter compmgmt.msc then click OK.
3. In the Left-pane Expand Computer Management | System Tools | Local Users and Groups then select Users.
4. In the Right-Pane right-click Administrator and select Rename.
5. Enter khl-admin then hit Enter.
Let’s head to Azure now and deploy our 1st Azure VM by logging into the portal by accessing the URL listed below from your On-Premise Server:
https://portal.azure.com
Once we are within the portal follow the steps below to create our 1st Azure VM
1. In the Left-Pane click + | Compute | Windows Server 2012 R2 Datacenter.
2. At the Windows Server 2012 R2 Datacenter screen click Create.
3. At the Basics screen enter the following then click OK.
***Note: The virtual machine name will need to be unique for your lab since it’s a hostname within eastus.cloudapp.azure.com. So KHL-DC is no longer available.
4. At the Choose a size screen select DS1_V2 Standard VM (Best Bang for Buck) then click Select.
6. At the Settings screen accept the defaults then click OK.
7. At the Summary screen review your settings then click OK.
Once the VM is finished being created (About 5-10 minutes), we will need to make a few modifications to the VM to make sure we can access it consistently remotely. This will involve, setting Static IP’s for the VM (Internal/External) as well as an external DNS name for the computer, that can be used to access it via Remote Desktop. Follow the steps below to make these change
1. In the Left-Pane click on Virtual Machines then click on KHL-DC.
2. At the KHL-DC screen click on the Public IP address as shown below:
3. At the KHL-DC-ip – Configuration screen under Assignment click Static, under DNS name label enter khl-dc, then click Save.
4. In the top-right corner click on the Bell to confirm the public ip addres change has been saved.
5. Scroll back to the Left-Side of the screen then click on Virtual Machines | KHL-DC.
6. Under KHL-WEB click on Network interfaces.
7. At the KHL-DC – Network interfaces screen click on the Network Interface as shown below:
8. Under the Network Interface click on IP configurations.
9. At the IP configurations screen click on ipconfig1 as shown below:
10. At the ipconfig1 screen under Assignment select Static then click Save.
By default, Windows 2012 R2 Servers block ping request from IP’s that are not from the Local Subnet. Since this is a lab we will be disabling the state of the Windows Firewall on both Servers. Follow the steps below to connect to KHL-DC.
1. In the Left-Pane click on Virtual Machines then click on KHL-DC.
2. At the KHL-DC screen click on Connect.
3. At the Pop-up click Save.
4. At the next pop-up click on Open Folder.
5. Under the Downloads double-click on KHL-DC then at the pop-up click Connect, and enter your Credentials.
6. Right-click on the Windows Logo and select Command Prompt (Admin).
7. At the Elevated Command Prompt enter the command below:
Netsh advfirewall set allprofiles state off
8. Repeat steps 6-7 on your On-Premise Spare Server (OP-DC)
Now we should have connectivity between our Azure VM and On-Premise VM as shown below:
In Part 2 of this series we will configure our Azure VM and On-Premise VM as Domain Controllers and establish 2 Active Directory Sites J
Enjoy,
Elliott