The simulated enterprise base configuration

This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.

This article describes how to create a simplified environment for Microsoft 365 for enterprise that includes:

  • A Microsoft 365 E5 trial or paid subscription.
  • A simplified organization intranet connected to the internet, consisting of three virtual machines on an Azure virtual network (DC1, APP1, and CLIENT1).

The simulated enterprise base configuration

Creating a simplified test environment involves two phases:

You can use the resulting environment to test the features and functionality of Microsoft 365 for enterprise with additional Test Lab Guides or on your own.

Test Lab Guides for the Microsoft cloud

Tip

For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to Microsoft 365 for enterprise Test Lab Guide Stack.

Phase 1: Create a simulated intranet

In this phase, build a simulated intranet in Azure infrastructure services that includes an Active Directory Domain Services (AD DS) domain controller, an application server, and a client computer.

You'll use these computers in additional Microsoft 365 for enterprise Test Lab Guides to configure and demonstrate hybrid identity and other capabilities.

Method 1: Build your simulated intranet with an Azure Resource Manager template

In this method, you use an Azure Resource Manager template to build out the simulated intranet. Azure Resource Manager templates contain all of the instructions to create the Azure networking infrastructure, the virtual machines, and their configuration.

Before deploying the template, read through the template README page and have the following information ready:

  • The public DNS domain name of your test environment (testlab.<your public domain>). You'll enter this name in the Domain Name field of the Custom deployment page.
  • A DNS label prefix for the URLs of the public IP addresses of your virtual machines. You'll need to enter this label in the Dns Label Prefix field of the Custom deployment page.

After you read through the instructions, select Deploy to Azure on the template README page to get started.

Note

The simulated intranet built by the Azure Resource Manager template requires a paid Azure subscription.

After the template is complete, your configuration looks like this:

The simulated intranet in Azure infrastructure services

Method 2: Build your simulated intranet with Azure PowerShell

In this method, you use Windows PowerShell and the Azure PowerShell module to build out the networking infrastructure, the virtual machines, and their configuration.

Use this method if you want to get experience creating elements of Azure infrastructure one step at a time with PowerShell. You can then customize the PowerShell command blocks for your own deployment of other virtual machines in Azure.

Step 1: Create DC1

In this step, you create an Azure virtual network and add DC1, a virtual machine that is a domain controller for an AD DS domain.

First, start a Windows PowerShell command prompt on your local computer.

Note

The following command sets use the latest version of Azure PowerShell. See Get started with Azure PowerShell cmdlets.

Sign in to your Azure account with the following command.

Connect-AzAccount

Get your subscription name using the following command.

Get-AzSubscription | Sort Name | Select Name

Set your Azure subscription. Replace everything within the quotation marks, including the angle brackets ("<" and ">"), with the correct name.

$subscr="<subscription name>"
Get-AzSubscription -SubscriptionName $subscr | Select-AzSubscription

Next, create a new resource group for your simulated enterprise test lab. To determine a unique resource group name, use this command to list your existing resource groups.

Get-AzResourceGroup | Sort ResourceGroupName | Select ResourceGroupName

Create your new resource group with these commands. Replace everything within the quotation marks, including the angle brackets, with the correct names.

$rgName="<resource group name>"
$locName="<location name, such as West US>"
New-AzResourceGroup -Name $rgName -Location $locName

Next, create the TestLab virtual network that will host the corporate network subnet of the simulated enterprise environment and protect it with a network security group. Fill in the name of your resource group and run these commands at the PowerShell command prompt on your local computer.

$rgName="<name of your new resource group>"
$locName=(Get-AzResourceGroup -Name $rgName).Location
$corpnetSubnet=New-AzVirtualNetworkSubnetConfig -Name Corpnet -AddressPrefix 10.0.0.0/24
New-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName -Location $locName -AddressPrefix 10.0.0.0/8 -Subnet $corpnetSubnet -DNSServer 10.0.0.4
$rule1=New-AzNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the subnet" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
New-AzNetworkSecurityGroup -Name Corpnet -ResourceGroupName $rgName -Location $locName -SecurityRules $rule1
$vnet=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name TestLab
$nsg=Get-AzNetworkSecurityGroup -Name Corpnet -ResourceGroupName $rgName
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name Corpnet -AddressPrefix "10.0.0.0/24" -NetworkSecurityGroup $nsg
$vnet | Set-AzVirtualNetwork

Next, you create the DC1 virtual machine and configure it as a domain controller for the testlab.<your public domain> AD DS domain and a DNS server for the virtual machines of the TestLab virtual network. For example, if your public domain name is contoso.com, the DC1 virtual machine will be a domain controller for the testlab.contoso.com domain.

To create an Azure virtual machine for DC1, fill in the name of your resource group and run these commands at the PowerShell command prompt on your local computer.

$rgName="<resource group name>"
$locName=(Get-AzResourceGroup -Name $rgName).Location
$vnet=Get-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName
$pip=New-AzPublicIpAddress -Name DC1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic
$nic=New-AzNetworkInterface -Name DC1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -PrivateIpAddress 10.0.0.4
$vm=New-AzVMConfig -VMName DC1 -VMSize Standard_A2_V2
$cred=Get-Credential -Message "Type the name and password of the local administrator account for DC1."
$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName DC1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"
$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id
$vm=Set-AzVMOSDisk -VM $vm -Name "DC1-OS" -DiskSizeInGB 128 -CreateOption FromImage
$diskConfig=New-AzDiskConfig -AccountType "Standard_LRS" -Location $locName -CreateOption Empty -DiskSizeGB 20
$dataDisk1=New-AzDisk -DiskName "DC1-DataDisk1" -Disk $diskConfig -ResourceGroupName $rgName
$vm=Add-AzVMDataDisk -VM $vm -Name "DC1-DataDisk1" -CreateOption Attach -ManagedDiskId $dataDisk1.Id -Lun 1
New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

You will be prompted for a user name and password for the local administrator account on DC1. Use a strong password and record both the name and password in a secure location.

Next, connect to the DC1 virtual machine:

  1. In the Azure portal, select Resource Groups > <the name of your new resource group> > DC1 > Connect.

  2. In the open pane, select Download RDP file. Open the DC1.rdp file that is downloaded, and then select Connect.

  3. Specify the DC1 local administrator account name:

    • For Windows 7:

      In the Windows Security dialog box, select Use another account. In User name, enter DC1\<local administrator account name>.

    • For Windows 8 or Windows 10:

      In the Windows Security dialog box, select More choices, and then select Use a different account. In User name, enter DC1\<local administrator account name>.

  4. In Password, enter the password of the local administrator account, and then select OK.

  5. When prompted, select Yes.

Next, add an extra data disk as a new volume with the drive letter F: with this command at an administrator-level Windows PowerShell command prompt on DC1.

Get-Disk | Where PartitionStyle -eq "RAW" | Initialize-Disk -PartitionStyle MBR -PassThru | New-Partition -AssignDriveLetter -UseMaximumSize | Format-Volume -FileSystem NTFS -NewFileSystemLabel "WSAD Data"

Next, configure DC1 as a domain controller and DNS server for the testlab.<your public domain> domain. Specify your public domain name, remove the angle brackets, and then run these commands at an administrator-level Windows PowerShell command prompt on DC1.

$yourDomain="<your public domain>"
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName testlab.$yourDomain -DatabasePath "F:\NTDS" -SysvolPath "F:\SYSVOL" -LogPath "F:\Logs"

You will need to specify a safe mode administrator password. Store this password in a secure location.

Note that these commands can take a few minutes to complete.

After DC1 restarts, reconnect to the DC1 virtual machine.

  1. In the Azure portal, select Resource Groups > <your resource group name> > DC1 > Connect.

  2. Run the DC1.rdp file that is downloaded, and then select Connect.

  3. In Windows Security, select Use another account. In User name, enter TESTLAB\<local administrator account name>.

  4. In the Password box, enter the password of the local administrator account, and then select OK.

  5. When prompted, select Yes.

Next, create a user account in Active Directory that will be used when signing in to TESTLAB domain member computers. Run this command at an administrator-level Windows PowerShell command prompt.

New-ADUser -SamAccountName User1 -AccountPassword (read-host "Set user password" -assecurestring) -name "User1" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false

Note that this command prompts you to supply the User1 account password. This account will be used for remote desktop connections for all TESTLAB domain member computers, so choose a strong password. Record the User1 account password and store it in a secured location.

Next, configure the new User1 account as a domain, enterprise, and schema administrator. Run this command at the administrator-level Windows PowerShell command prompt.

$yourDomain="<your public domain>"
$domainName = "testlab."+$yourDomain
$userName="user1@" + $domainName
$userSID=(New-Object System.Security.Principal.NTAccount($userName)).Translate([System.Security.Principal.SecurityIdentifier]).Value
$groupNames=@("Domain Admins","Enterprise Admins","Schema Admins")
ForEach ($name in $groupNames) {Add-ADPrincipalGroupMembership -Identity $userSID -MemberOf (Get-ADGroup -Identity $name).SID.Value}

Close the Remote Desktop session with DC1 and then reconnect using the TESTLAB\User1 account.

Next, to allow traffic for the Ping tool, run this command at an administrator-level Windows PowerShell command prompt.

Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)" -enabled True

Your current configuration looks like this:

Step 1 of the simulated enterprise base configuration

Step 2: Configure APP1

In this step, you create and configure APP1, which is an application server that initially provides web and file sharing services.

To create an Azure Virtual Machine for APP1, fill in the name of your resource group and run these commands at the command prompt on your local computer.

$rgName="<resource group name>"
$locName=(Get-AzResourceGroup -Name $rgName).Location
$vnet=Get-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName
$pip=New-AzPublicIpAddress -Name APP1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic
$nic=New-AzNetworkInterface -Name APP1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id
$vm=New-AzVMConfig -VMName APP1 -VMSize Standard_A2_V2
$cred=Get-Credential -Message "Type the name and password of the local administrator account for APP1."
$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName APP1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"
$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id
$vm=Set-AzVMOSDisk -VM $vm -Name "APP1-OS" -DiskSizeInGB 128 -CreateOption FromImage
New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

Next, connect to the APP1 virtual machine using the APP1 local administrator account name and password, and then open a Windows PowerShell command prompt.

To check name resolution and network communication between APP1 and DC1, run the ping dc1.testlab.<your public domain name> command and verify that there are four replies.

Next, join the APP1 virtual machine to the TESTLAB domain with these commands at the Windows PowerShell prompt.

$yourDomain="<your public domain name>"
Add-Computer -DomainName ("testlab." + $yourDomain)
Restart-Computer

Note that you after you run the Add-Computer command, you must supply the TESTLAB\User1 domain account credentials.

After APP1 restarts, connect to it using the TESTLAB\User1 account, and then open an administrator-level Windows PowerShell command prompt.

Next, make APP1 a web server with this command at an administrator-level Windows PowerShell command prompt on APP1.

Install-WindowsFeature Web-WebServer -IncludeManagementTools

Next, create a shared folder and a text file within the folder on APP1 with these PowerShell commands.

New-Item -path c:\files -type directory
Write-Output "This is a shared file." | out-file c:\files\example.txt
New-SmbShare -name files -path c:\files -changeaccess TESTLAB\User1

Your current configuration looks like this:

Step 2 of the simulated enterprise base configuration

Step 3: Configure CLIENT1

In this step, you create and configure CLIENT1, which acts as a typical laptop, tablet, or desktop computer on the intranet.

Note

The following command set creates CLIENT1 running Windows Server 2016 Datacenter, which can be done for all types of Azure subscriptions. If you have a Visual Studio-based Azure subscription, you can create CLIENT1 running Windows 10 with the Azure portal.

To create an Azure Virtual Machine for CLIENT1, fill in the name of your resource group and run these commands at the command prompt on your local computer.

$rgName="<resource group name>"
$locName=(Get-AzResourceGroup -Name $rgName).Location
$vnet=Get-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName
$pip=New-AzPublicIpAddress -Name CLIENT1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic
$nic=New-AzNetworkInterface -Name CLIENT1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id
$vm=New-AzVMConfig -VMName CLIENT1 -VMSize Standard_A2_V2
$cred=Get-Credential -Message "Type the name and password of the local administrator account for CLIENT1."
$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName CLIENT1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest"
$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id
$vm=Set-AzVMOSDisk -VM $vm -Name "CLIENT1-OS" -DiskSizeInGB 128 -CreateOption FromImage
New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm

Next, connect to the CLIENT1 virtual machine using the CLIENT1 local administrator account name and password, and then open an administrator-level Windows PowerShell command prompt.

To check name resolution and network communication between CLIENT1 and DC1, run the ping dc1.testlab.<your public domain name> command at a Windows PowerShell command prompt and verify that there are four replies.

Next, join the CLIENT1 virtual machine to the TESTLAB domain with these commands at the Windows PowerShell prompt.

$yourDomain="<your public domain name>"
Add-Computer -DomainName ("testlab." + $yourDomain)
Restart-Computer

Note that you must supply your TESTLAB\User1 domain account credentials after running the Add-Computer command.

After CLIENT1 restarts, connect to it using the TESTLAB\User1 account name and password, and then open an administrator-level Windows PowerShell command prompt.

Next, verify that you can access web and file share resources on APP1 from CLIENT1.

  1. In Server Manager, in the tree pane, select Local Server.

  2. In Properties for CLIENT1, select On next to IE Enhanced Security Configuration.

  3. In Internet Explorer Enhanced Security Configuration, select Off for Administrators and Users, and then select OK.

  4. From the Start screen, select Internet Explorer, and then select OK.

  5. In the address bar, enter http://app1.testab.<your public domain name>/, and then press Enter. You should see the default Internet Information Services web page for APP1.

  6. On the desktop taskbar, select the File Explorer icon.

  7. In the address bar, enter \\app1\Files, and then press Enter. You should see a folder window with the contents of the Files shared folder.

  8. In the Files shared folder window, double-click the Example.txt file. You should see the contents of the Example.txt file.

  9. Close the example.txt - Notepad and the Files shared folder windows.

Your current configuration looks like this:

Step 3 of the simulated enterprise base configuration

Phase 2: Create your Microsoft 365 E5 subscription

In this phase, you create a new Microsoft 365 E5 subscription that uses a new Azure AD tenant, one that is separate from your production subscription. You can do this in two ways:

  • Use a trial subscription of Microsoft 365 E5.

    The Microsoft 365 E5 trial subscription is 30 days, which can be easily extended to 60 days. When the trial subscription expires, you must either convert it to a paid subscription or create a new trial subscription. Creating new trial subscriptions means you will leave your configuration, which could include complex scenarios, behind.

  • Use a separate production subscription of Microsoft 365 E5 with a small number of licenses.

    This is an additional cost, but ensures that you have a working test environment that doesn't expire; in it, you can try features, configurations, and scenarios. You can use the same test environment over the long term for proofs of concept, demonstration to peers and management, and application development and testing. This is the recommended method.

Sign up for an Office 365 E5 trial subscription

From the Azure portal, connect to CLIENT1 with the CORP\User1 account.

To create a new Office 365 E5 trial subscription, perform the instructions in Phase 1 of the lightweight base configuration Test Lab Guide.

To configure your new Office 365 E5 trial subscription, perform the instructions in Phase 2 of the lightweight base configuration Test Lab Guide.

Using an Office 365 E5 test environment

If you need only an Office 365 test environment, you do not need to read the rest of this article.

For additional Test Lab Guides that apply to both Microsoft 365 and Office 365, see Microsoft 365 for enterprise Test Lab Guides.

Add a Microsoft 365 E5 trial subscription

To add a Microsoft 365 E5 trial subscription and configure your users accounts with licenses, perform the instructions in Phase 3 of the lightweight base configuration Test Lab Guide.

Results

Your test environment now has:

  • Microsoft 365 E5 trial subscription.
  • All your appropriate user accounts are enabled to use Microsoft 365 E5.
  • A simulated and simplified intranet.

Your final configuration looks like this:

Phase 2 of the simulated enterprise base configuration

You are now ready to experiment with additional features of Microsoft 365 for enterprise.

Next steps

Explore these additional sets of Test Lab Guides:

See also

Microsoft 365 for enterprise Test Lab Guides

Microsoft 365 for enterprise overview

Microsoft 365 for enterprise documentation