Elyse DOMAIN IN A BOX

OVERVIEW

This guide provides step-by-step instructions for building a complete Elyse test environment from scratch using Hyper-V virtual machines on a single physical computer. This is intended for lab, testing, and demonstration purposes.

What is Hyper-V? Hyper-V is a feature built into Windows that lets you create “virtual machines” (VMs) — essentially computers running inside your computer. Each VM behaves like a separate physical machine with its own operating system, but they all share your physical hardware. This allows you to build an entire network of servers on a single PC.

How to enable Hyper-V: Click Start, type Turn Windows features on or off, tick Hyper-V, click OK, and restart your PC. If the Hyper-V checkbox is greyed out, you may need to enable virtualisation (Intel VT-x or AMD-V) in your PC’s BIOS/UEFI settings. Note that Windows Home editions do not include Hyper-V — you need Windows 10/11 Pro or Enterprise.

The environment consists of five virtual machines:

VM NameRoleIPRAMDisk
ELYSE-DC01Domain Controller (manages user identities)10.0.0.104 GB60 GB
ELYSE-SQL01SQL Server (stores the database)10.0.0.208 GB80 GB
ELYSE-BE01Backend (IIS/.NET application server)10.0.0.304 GB60 GB
ELYSE-FE01Frontend (IIS web server)10.0.0.404 GB60 GB
ELYSE-WK01Workstation (Windows 11 user PC)10.0.0.504 GB64 GB

Domain: elyse.local | Network: 10.0.0.0/24 (Internal switch, no internet)

This appendix cross-references:

PREREQUISITES

Downloading SQL Server Express for offline use (or use a higher edition if you have one): The lab VMs will not have internet access, so download the full installer on your host PC first.
  1. Go to the SQL Server Downloads page and download the Express installer.
  2. Run the downloaded installer on your host PC. Instead of clicking “Basic” or “Custom”, select Download Media.
  3. Choose Express Advanced (approximately 700–800 MB). This downloads a single file containing the full engine.
  4. Save this file somewhere you can find it later (e.g., C:\Lab-Elyse\ISOs\).

PHASE 1: NETWORK AND STORAGE PREPARATION

Step 1: Create the Hyper-V Internal Switch

A virtual switch is like a virtual network cable that connects your VMs together. An “Internal” switch allows the VMs to communicate with each other and with your host PC, but does not give them internet access — perfect for an isolated lab.

  1. Open Hyper-V Manager (click Start, type Hyper-V Manager, click the result).
  2. On the right-hand side of the window, in the Actions pane, click Virtual Switch Manager...
  3. A new window opens. On the left, “New virtual network switch” should already be highlighted.
  4. On the right, select Internal.
  5. Click Create Virtual Switch.
  6. In the Name field, type: Elyse-Internal-Switch
  7. Leave all other settings as they are.
  8. Click OK.

Step 2: Create VM Storage Folders

Each VM stores its files (virtual hard drives, configuration, etc.) in a folder. We create a dedicated folder for each VM to keep things organised.

  1. Open File Explorer (click the folder icon on your taskbar, or press Windows Key + E).
  2. Navigate to your fastest drive (usually C:). Click This PC in the left pane, then double-click your C: drive.
  3. Right-click in an empty area > New > Folder. Name it Lab-Elyse and press Enter.
  4. Double-click Lab-Elyse to open it.
  5. Create six sub-folders inside it (right-click > New > Folder for each): DC01, SQL01, BE01, FE01, WK01, ISOs
  6. Copy your downloaded ISO files into C:\Lab-Elyse\ISOs\. (Navigate to your Downloads folder, right-click each ISO > Copy, then navigate to the ISOs folder, right-click > Paste.)
C:\Lab-Elyse\DC01\
C:\Lab-Elyse\SQL01\
C:\Lab-Elyse\BE01\
C:\Lab-Elyse\FE01\
C:\Lab-Elyse\WK01\
C:\Lab-Elyse\ISOs\     (contains your ISO files)

PHASE 2: DOMAIN CONTROLLER (ELYSE-DC01)

The Domain Controller (DC) is the most critical server. It manages user identities, passwords, and security for the entire network. We build this first because all other servers need to “join” the domain it creates.

Step 3: Create the ELYSE-DC01 Virtual Machine

  1. Open Hyper-V Manager if not already open.
  2. In the left pane, right-click your computer name and select New > Virtual Machine...
  3. The “New Virtual Machine Wizard” opens:
    1. Before You Begin: Click Next.
    2. Specify Name and Location: Name: ELYSE-DC01. Tick Store the virtual machine in a different location. Click Browse... and select C:\Lab-Elyse\DC01. Click Next.
    3. Specify Generation: Select Generation 2 (supports modern UEFI and security features). Click Next.
    4. Assign Memory: Set to 4096 MB (4 GB). Uncheck “Use Dynamic Memory”. Click Next.
    5. Configure Networking: Select Elyse-Internal-Switch from the dropdown. Click Next.
    6. Connect Virtual Hard Disk: Leave defaults, set Size to 60 GB. Click Next.
    7. Installation Options: Select “Install an operating system from a bootable image file”. Click Browse... and select your Windows Server 2022 ISO from C:\Lab-Elyse\ISOs\. Click Next.
    8. Summary: Click Finish.

The VM is created but not running. You should see ELYSE-DC01 listed in Hyper-V Manager with state “Off”.

Step 4: Hardware Configuration (ELYSE-DC01)

Before starting the VM, adjust two settings:

  1. Right-click ELYSE-DC01 in Hyper-V Manager > Settings...
  2. Click Security in the left-hand list. Ensure Enable Trusted Platform Module is ticked.
  3. Click Processor in the left-hand list. Change Number of virtual processors to 2.
  4. Click OK.

Step 5: Install Windows Server (ELYSE-DC01)

  1. Right-click ELYSE-DC01 > Connect.... A console window opens (black screen — the VM is off).
  2. Click the green Start button (▶) in the toolbar at the top of the console window.
  3. IMPORTANT: When “Press any key to boot from CD or DVD...” appears, immediately press any key (e.g., spacebar). If you miss it, click the Reset button in the toolbar and try again.
  4. The Windows Setup screen appears:
    1. Language/Keyboard: Leave defaults. Click Next, then Install now.
    2. Select Windows Server 2022 Standard Evaluation (Desktop Experience).
      Do NOT select the version without “Desktop Experience” — that is Server Core (command-line only, no graphical interface).
    3. Accept the license terms. Click Next.
    4. Select Custom: Install Microsoft Server Operating System only (advanced).
    5. Select Drive 0 (60 GB). Click Next.
  5. Wait for installation (5–10 minutes). The VM restarts automatically. Do not press a key during the restart — let it boot from the hard drive.
  6. Set the Administrator password (e.g., ElyseLab2026!). Write this password down — you will use it for every VM.
  7. At the lock screen, send Ctrl+Alt+Delete to the VM: in the console toolbar, click the keyboard icon or go to Action > Ctrl+Alt+Delete. Then type your password and press Enter.

You should now see the Windows Server desktop with Server Manager open.

Step 6: Configure Static IP and Rename (ELYSE-DC01)

Every server needs a fixed (static) IP address so other servers can always find it.

Set the Static IP Address

  1. In Server Manager (opens automatically on login; if not, click Start and type Server Manager), click Local Server in the left sidebar.
  2. Find the Ethernet row (shows “IPv4 address assigned by DHCP”). Click that blue link.
  3. A “Network Connections” window opens. Right-click the Ethernet adapter > Properties.
  4. Click Internet Protocol Version 4 (TCP/IPv4) to highlight it, then click Properties.
  5. Select Use the following IP address and enter:
    IP address10.0.0.10
    Subnet mask255.255.255.0
    Default gateway(leave blank)
  6. Select Use the following DNS server addresses:
    Preferred DNS server127.0.0.1
    Why 127.0.0.1? This is the “loopback” address — it tells the server to use itself for DNS. Once this server becomes a Domain Controller, it will run its own DNS service.
  7. Click OK, then Close.

Rename the Computer

  1. Back in Server Manager > Local Server, find the Computer name row (shows a random name like WIN-ASDF1234). Click that blue link.
  2. A “System Properties” window opens. Click Change...
  3. In the Computer name field, type: ELYSE-DC01
  4. Click OK. A prompt says a restart is required. Click OK, then Close, then Restart Now.

Wait for the reboot. Log back in. Verify the computer name shows ELYSE-DC01 in Server Manager > Local Server.

Step 7: Install Active Directory Domain Services

Active Directory Domain Services (AD DS) is the feature that turns a server into a Domain Controller.

  1. In Server Manager, click Manage (top-right) > Add Roles and Features.
  2. The wizard opens:
    1. Before You Begin: Click Next.
    2. Installation Type: Leave “Role-based” selected. Click Next.
    3. Server Selection: Your server should be selected. Click Next.
    4. Server Roles: Find and tick Active Directory Domain Services.
    5. A popup asks to add required features. Click Add Features.
    6. Click Next through the remaining screens without changing anything.
    7. Click Install. Wait for completion. Do not close this window.

Step 8: Promote to Domain Controller

After AD DS installs, you will see a link: “Promote this server to a domain controller” (or a yellow warning flag at the top of Server Manager). Click it.

  1. Deployment Configuration: Select Add a new forest. Root domain name: elyse.local. Click Next.
  2. Domain Controller Options: Functional levels: Windows Server 2016. Check DNS server. DSRM Password: use the same Administrator password. Click Next.
  3. DNS Options: Ignore the yellow “DNS Delegation” warning. Click Next.
  4. Additional Options: NetBIOS name auto-fills as ELYSE. Click Next.
  5. Paths: Leave defaults. Click Next.
  6. Prerequisites Check: Verify the green checkmark (“All prerequisite checks passed successfully”). Click Install.
The server restarts automatically. The first login after promotion takes longer than usual. Log in with your Administrator password.

Step 9: Post-Promotion Health Check

Verify DNS Configuration

  1. Press Windows Key + R. Type ncpa.cpl and press Enter. (This opens the Network Connections window.)
  2. Right-click the Ethernet adapter > Properties.
  3. Select Internet Protocol Version 4 (TCP/IPv4) > Properties.
  4. Verify Preferred DNS server is 127.0.0.1. (Windows sometimes changes this to ::1 during DC promotion — change it back if needed.)
  5. Click OK and Close.
CRITICAL WARNING - DO NOT DISABLE IPv6: IPv6 must remain enabled on all Hyper-V VMs at all times. Disabling IPv6, even temporarily, will permanently and irreversibly corrupt the Hyper-V Enhanced Session Mode integration services. Re-enabling IPv6 will NOT fix the corruption. The only recovery is to rebuild the affected VMs. Enhanced Session Mode is required for clipboard sharing and proper display resolution. The lab uses IPv4 for all network communication, but IPv6 must remain enabled for Hyper-V host-to-VM communication to function correctly.

Verify the Domain is Active

  1. In Server Manager, click the Tools menu (top-right area).
  2. Select Active Directory Users and Computers. A new window opens.
  3. In the left pane, you should see elyse.local. Click the arrow next to it to expand. You should see folders: Builtin, Computers, Domain Controllers, Users.

If you can see these folders, your Domain Controller is working correctly.

Step 9b: Create Reverse DNS Zone (Critical for Kerberos Performance)

Reverse DNS (PTR records) allows DNS to resolve IP addresses back to hostnames. Kerberos authentication requires this for optimal performance. Without reverse DNS, authentication will timeout after 30–40 seconds before falling back to NTLM, causing severe performance issues.

Create the Reverse Lookup Zone

  1. In Server Manager, click Tools > DNS. The DNS Manager window opens.
  2. In the left pane, right-click ELYSE-DC01 (the server name at the top) > New Zone...
    Note: If you expand ELYSE-DC01 and right-click on Reverse Lookup Zones, the “New Zone” option may be greyed out. Instead, right-click on the server name itself (ELYSE-DC01) to access the wizard.
  3. The “New Zone Wizard” opens:
    1. Welcome: Click Next.
    2. Zone Type: Leave Primary zone selected. Ensure Store the zone in Active Directory is checked. Click Next.
    3. Active Directory Zone Replication Scope: Leave the default (To all DNS servers running on domain controllers in this domain). Click Next.
    4. Forward or Reverse Lookup Zone: Select Reverse Lookup Zone. Click Next.
    5. Reverse Lookup Zone Name: Select IPv4 Reverse Lookup Zone. Click Next.
    6. Reverse Lookup Zone Name: Select Network ID and type: 10.0.0. Click Next.
      Why 10.0.0? This creates a reverse zone for the 10.0.0.0/24 network (all IPs from 10.0.0.1 to 10.0.0.254). The zone will be named 0.0.10.in-addr.arpa automatically.
    7. Dynamic Update: Select Allow only secure dynamic updates. Click Next.
    8. Completing the New Zone Wizard: Click Finish.

Create PTR Records for All Lab VMs

Now add a PTR record for each VM in the lab. These records tell DNS which hostname corresponds to each IP address.

  1. In DNS Manager, expand Reverse Lookup Zones in the left pane.
  2. Click 0.0.10.in-addr.arpa to select it.
  3. Right-click 0.0.10.in-addr.arpa > New Pointer (PTR)...
  4. In the “New Resource Record” dialog:
    Host IP Address10.0.0.10
    Host nameELYSE-DC01.elyse.local
    Click OK.
  5. Repeat step 3–4 for each remaining VM:
    IP AddressHostname (FQDN)
    10.0.0.20ELYSE-SQL01.elyse.local
    10.0.0.30ELYSE-BE01.elyse.local
    10.0.0.40ELYSE-FE01.elyse.local
    10.0.0.50ELYSE-WK01.elyse.local

Verify Reverse DNS

  1. Open PowerShell (click Start and type PowerShell).
  2. Test reverse DNS lookup by typing the following command and pressing Enter: 
    nslookup 10.0.0.10
  3. The most important part of the output is the Name and Address at the bottom: 
    Name:    ELYSE-DC01.elyse.local
Address:  10.0.0.10
    If you see these two lines, reverse DNS is working correctly.
  4. Note about DNS timeout messages: If you see DNS request timed out or Server: UnKnown at the top of the output, this is normal and harmless. The nslookup tool tries IPv6 first (even though no IPv6 DNS server is configured), times out, then falls back to IPv4 which works correctly. This timeout message is purely cosmetic and does not affect functionality. As long as you see the Name and Address at the bottom of the output, reverse DNS is working correctly and Kerberos performance will be optimal.
    CRITICAL: Do NOT disable IPv6 to eliminate this timeout message. Disabling IPv6, even temporarily, will permanently and irreversibly corrupt Hyper-V Enhanced Session Mode. Re-enabling IPv6 will NOT fix the corruption. See the critical warning in Step 9 for details.
Why is this critical? Kerberos authentication performs reverse DNS lookups to verify server identity. Without PTR records, each authentication attempt will timeout after 30–40 seconds before falling back to NTLM. This causes severe performance degradation, especially noticeable during hard refreshes or initial page loads. Creating PTR records now prevents this issue across the entire lab environment.

Step 10: Configure Active Directory for Elyse

Now follow the Domain Setup guide completely to create the service accounts and security group required by Elyse.

Lab substitutions: When following the Domain Setup guide:
  • Replace yourdomain.com with elyse.local
  • Replace YOURDOMAIN with ELYSE
  • Use your lab password for the service account passwords
Complete all steps before proceeding.

PHASE 3: SQL SERVER (ELYSE-SQL01)

Step 11: Create the ELYSE-SQL01 Virtual Machine

  1. In Hyper-V Manager (on your host PC), right-click your computer name > New > Virtual Machine...
  2. Walk through the wizard:
    1. Before You Begin: Click Next.
    2. Name and Location: Name: ELYSE-SQL01. Tick “Store in a different location” and browse to C:\Lab-Elyse\SQL01. Click Next.
    3. Generation: Select Generation 2. Click Next.
    4. Memory: 8192 MB (8 GB). Uncheck Dynamic Memory. (SQL Server performs better with fixed RAM.) Click Next.
    5. Networking: Select Elyse-Internal-Switch. Click Next.
    6. Hard Disk: 80 GB (SQL needs more room than the DC). Click Next.
    7. Installation Options: Browse to your Windows Server 2022 ISO. Click Next.
    8. Summary: Click Finish.

Step 12: Hardware Configuration (ELYSE-SQL01)

  1. Right-click ELYSE-SQL01 > Settings...
  2. Processor: Set to 4 virtual processors (SQL Server benefits from more CPU cores).
  3. Security: Ensure Enable Trusted Platform Module is ticked.
  4. (Optional) Checkpoints: Change to Standard Checkpoints for easier rollback.
  5. Click OK.

Step 13: Install Windows Server (ELYSE-SQL01)

Follow the same process as Step 5 (ELYSE-DC01):

  1. Right-click ELYSE-SQL01 > Connect.... Click the green Start button.
  2. Immediately press any key when “Press any key to boot from CD or DVD” appears.
  3. Language defaults > Next > Install now.
  4. Select Windows Server 2022 Standard Evaluation (Desktop Experience). Click Next.
  5. Accept license > Custom install > Drive 0 (80 GB) > Next.
  6. Wait for installation. Do not press a key during reboots.
  7. Set the Administrator password (same lab password). Log in.

Step 14: Configure Networking (ELYSE-SQL01)

  1. Press Windows Key + R, type ncpa.cpl, press Enter.
  2. Right-click Ethernet > Properties.
  3. Select Internet Protocol Version 4 (TCP/IPv4) > Properties.
  4. Select Use the following IP address:
    IP address10.0.0.20
    Subnet mask255.255.255.0
    Default gateway(leave blank)
  5. Select Use the following DNS server addresses:
    Preferred DNS server10.0.0.10
    Why 10.0.0.10? This points to your Domain Controller (ELYSE-DC01), which runs the DNS service. If this is wrong, the domain join in the next step will fail.
  6. Click OK, then Close.

Step 15: Join the Domain (ELYSE-SQL01)

  1. Open Server Manager. Click Local Server in the left sidebar.
  2. Click the blue link next to Computer name (shows a random name like WIN-XXXX).
  3. Click Change...
  4. Computer name: ELYSE-SQL01
  5. Under Member of, select Domain and type: elyse.local
  6. Click OK. A credentials dialog appears:
    User nameELYSE\Administrator
    Password(your lab password)
  7. You should see: “Welcome to the elyse.local domain.”
  8. Click OK and Restart Now.
  9. After reboot, log in as ELYSE\Administrator.

Step 16: Transfer SQL Server Installer to the VM

Since the lab has no internet, transfer the SQL Server Express installer from your host PC to the VM:

Option A — Copy/Paste (easiest): If Enhanced Session Mode is enabled in Hyper-V (usually on by default), right-click the installer file on your host > Copy, then right-click the VM desktop > Paste.

Option B — ISO Mount: In Hyper-V Manager, right-click ELYSE-SQL01 > Settings... > SCSI Controller > DVD Drive. Select Image file and browse to the installer. Inside the VM, it appears as a DVD drive in File Explorer.

Step 17: Install SQL Server and Restore Database

Follow the SQL Server & Database guide completely.

Lab substitutions:
  • Replace YOURDOMAIN with ELYSE
  • Replace yourdomain.com with elyse.local
  • The svc_sql account was created in Step 10 (via the Domain Setup guide)
  • Transfer the Elyse database backup (.bak file) to the VM using the same method as Step 16
Complete all steps before proceeding.

Step 18: Configure KCD

Follow the KCD Configuration guide. Perform these steps on ELYSE-DC01 (not on the SQL server).

Lab substitutions:
  • Replace YOURDOMAIN with ELYSE
  • Replace yourdomain.com with elyse.local
  • SQL Server hostname: ELYSE-SQL01
  • Backend hostname: ELYSE-BE01
  • Frontend hostname: ELYSE-FE01 (for the frontend proxy SPNs — required because the frontend and backend are on separate servers)
Complete all steps before proceeding.

PHASE 4: BACKEND SERVER (ELYSE-BE01)

Step 19: Create the ELYSE-BE01 Virtual Machine

  1. In Hyper-V Manager, right-click your computer name > New > Virtual Machine...
  2. Walk through the wizard:
    1. Before You Begin: Click Next.
    2. Name and Location: Name: ELYSE-BE01. Tick “Store in a different location”, browse to C:\Lab-Elyse\BE01. Click Next.
    3. Generation: Generation 2. Click Next.
    4. Memory: 4096 MB. Uncheck Dynamic Memory. Click Next.
    5. Networking: Elyse-Internal-Switch. Click Next.
    6. Hard Disk: 60 GB. Click Next.
    7. Installation Options: Browse to your Windows Server 2022 ISO. Click Next.
    8. Summary: Click Finish.
  3. Hardware Tweaks: Right-click ELYSE-BE01 > Settings...
    • Processor: Set to 2.
    • Security: Enable TPM.
    Click OK.

Step 19b: Install Windows Server (ELYSE-BE01)

Follow the same Windows Server installation process as Step 5 / Step 13:

  1. Connect to the VM and click Start. Press a key immediately to boot from the ISO.
  2. Select Windows Server 2022 Standard Evaluation (Desktop Experience).
  3. Custom install > Drive 0 (60 GB) > Next. Wait for installation.
  4. Set the Administrator password (same lab password). Log in.

Step 20: Configure Networking and Join Domain (ELYSE-BE01)

Set the Static IP

  1. Press Windows Key + R, type ncpa.cpl, press Enter.
  2. Right-click Ethernet > Properties.
  3. Select IPv4 > Properties. Enter:
    IP address10.0.0.30
    Subnet mask255.255.255.0
    Default gateway(leave blank)
    Preferred DNS10.0.0.10
  4. Click OK, then Close.

Join the Domain

  1. Open Server Manager. Click Local Server.
  2. Click the blue link next to Computer name. Click Change...
  3. Computer name: ELYSE-BE01. Member of: Domain: elyse.local. Click OK.
  4. Credentials: ELYSE\Administrator / (lab password).
  5. You should see: “Welcome to the elyse.local domain.”
  6. Click OK and Restart Now. After reboot, log in as ELYSE\Administrator.

Step 21: Deploy the Backend

Transfer the SERVER backend deployment zip (e.g., Elyse-Backend-*-SERVER-Deploy-*.zip) to ELYSE-BE01 (using copy/paste or ISO mount as in Step 16) and follow the Backend Installation (Server) instructions.

When configuring the .env file, use these lab values:

DB_HOST=ELYSE-SQL01
DB_NAME=Elyse_DB
USE_KCD=true

PHASE 5: FRONTEND SERVER (ELYSE-FE01)

Step 22: Create the ELYSE-FE01 Virtual Machine

  1. In Hyper-V Manager, right-click your computer name > New > Virtual Machine...
  2. Walk through the wizard:
    1. Before You Begin: Click Next.
    2. Name and Location: Name: ELYSE-FE01. Tick “Store in a different location”, browse to C:\Lab-Elyse\FE01. Click Next.
    3. Generation: Generation 2. Click Next.
    4. Memory: 4096 MB. Uncheck Dynamic Memory. Click Next.
    5. Networking: Elyse-Internal-Switch. Click Next.
    6. Hard Disk: 60 GB. Click Next.
    7. Installation Options: Browse to your Windows Server 2022 ISO. Click Next.
    8. Summary: Click Finish.
  3. Hardware Tweaks: Right-click ELYSE-FE01 > Settings...
    • Processor: Set to 2.
    • Security: Enable TPM.
    • Firmware: Ensure DVD Drive is at the top of the boot order. (If not, select it and click “Move Up”.)
    Click OK.

Step 22b: Install Windows Server (ELYSE-FE01)

Follow the same Windows Server installation process:

  1. Connect to the VM and click Start. Press a key immediately to boot from the ISO.
  2. Select Windows Server 2022 Standard Evaluation (Desktop Experience).
  3. Custom install > Drive 0 (60 GB) > Next. Wait for installation.
  4. Set the Administrator password (same lab password). Log in.

Step 23: Configure Networking and Join Domain (ELYSE-FE01)

Set the Static IP

  1. Press Windows Key + R, type ncpa.cpl, press Enter.
  2. Right-click Ethernet > Properties.
  3. IMPORTANT: Leave IPv6 enabled. Do NOT uncheck Internet Protocol Version 6 (TCP/IPv6). See the critical warning in Step 9 about IPv6.
  4. Select Internet Protocol Version 4 (TCP/IPv4), then click Properties. Enter:
    IP address10.0.0.40
    Subnet mask255.255.255.0
    Default gateway(leave blank)
    Preferred DNS10.0.0.10
  5. Click OK, then Close.

Join the Domain

  1. Open Server Manager. Click Local Server.
  2. Click the blue link next to Computer name. Click Change...
  3. Computer name: ELYSE-FE01. Member of: Domain: elyse.local. Click OK.
  4. Credentials: ELYSE\Administrator / (lab password).
  5. You should see: “Welcome to the elyse.local domain.”
  6. Click OK and Restart Now. After reboot, log in as ELYSE\Administrator.

Step 24: Deploy the Frontend

This step installs IIS and the Elyse frontend on ELYSE-FE01. All commands should be run on ELYSE-FE01.

Step 24a: Install IIS

  1. Open Server Manager.
  2. Click Manage (top-right menu) → Add Roles and Features.
  3. Click Next on each page until you reach the Server Roles page.
  4. Check Web Server (IIS). Click Add Features when prompted.
  5. Click Next until you reach Role Services.
  6. Ensure the following are checked:
    • Web Server > Common HTTP Features > Default Document
    • Web Server > Common HTTP Features > Static Content
    • Management Tools > IIS Management Console
  7. Click Next, then Install. Wait for completion.
  8. Verify: Open a web browser and navigate to http://localhost. You should see the IIS default page (a blue page with the IIS logo).

Step 24b: Install URL Rewrite Module

The URL Rewrite module is required for Angular routing to work correctly.

  1. Transfer the URL Rewrite installer to ELYSE-FE01 (download from https://www.iis.net/downloads/microsoft/url-rewrite on your host machine, then copy/paste or mount as ISO).
  2. Double-click the installer file (e.g., rewrite_amd64_en-US.msi). If prompted by UAC, click Yes.
  3. Accept the license agreement, click Install, then click Finish.

Step 24c: Copy Frontend Files

  1. Transfer the frontend deployment zip (Elyse-Frontend-*-Deploy-*.zip) to ELYSE-FE01.
  2. In File Explorer, navigate to C:\inetpub\wwwroot\. Create an Elyse folder, then create a frontend folder inside it. The full path should be: C:\inetpub\wwwroot\Elyse\frontend
  3. Right-click the frontend zip file and select Extract All..., choose a temporary location (e.g., C:\Temp\ElyseFrontend), and click Extract.
  4. Open the extracted folder, select all files, and copy them.
  5. Navigate to C:\inetpub\wwwroot\Elyse\frontend and paste.
  6. Verify: The directory should contain index.html, an assets folder, and various .js/.css files.

Step 24d: Configure Backend API URL

  1. In File Explorer, navigate to C:\inetpub\wwwroot\Elyse\frontend\assets\
  2. Right-click config.json and select Open with > Notepad.
  3. The file contains a single line. Edit the apiUrl value to point to the frontend server (which proxies API requests to the backend): 
    { "apiUrl": "http://ELYSE-FE01:8080/api" }

    This configuration allows the application to work correctly when accessed from any machine (the frontend server itself, the workstation, or other domain-joined computers).

  4. Save the file (Ctrl+S) and close Notepad.

Step 24e: Create IIS Site and Configure Application Pool

  1. Open IIS Manager (search for "IIS" in the Start menu).
  2. In the left panel (Connections), expand the server node (click the arrow next to your server name).
  3. Right-click Sites > Add Website...
  4. Configure:
    Site nameElyseFrontend
    Physical pathC:\inetpub\wwwroot\Elyse\frontend
    Binding > Port8080

    Note: Leave the Application pool field blank or set to ElyseFrontend. IIS will create a new application pool with the same name as the site.

  5. Click OK.
  6. Configure the application pool for optimal static file performance. In the left panel, click Application Pools.
  7. In the center panel, find and click on ElyseFrontend to select it.
  8. In the Actions panel (right side), click Basic Settings...
  9. Change .NET CLR version from v4.0 to No Managed Code.
  10. Click OK.
  11. Add the .md MIME type (this allows the application to serve Markdown help files):
    1. In IIS Manager, click on the ElyseFrontend site in the left panel.
    2. In the centre panel, double-click MIME Types.
    3. In the Actions panel (right side), click Add...
    4. File name extension: .md, MIME type: text/markdown. Click OK.
  12. Configure authentication on the frontend site (the frontend serves static files and doesn't need authentication):
    1. In IIS Manager, click on the ElyseFrontend site in the left panel.
    2. In the centre panel, double-click Authentication.
    3. Ensure Anonymous Authentication is Enabled. If it shows "Disabled", select it and click Enable in the Actions panel (right side).
    4. If Windows Authentication appears in the list and is Enabled, select it and click Disable in the Actions panel. (Note: Windows Authentication may not be installed by default on a fresh IIS installation. If it doesn't appear in the list, that's fine - skip this step.)
  13. Install ARR 3.0 (Application Request Routing). Transfer the ARR installer to ELYSE-FE01 (download from Microsoft website - search for "Application Request Routing 3.0 download" on your host machine, then copy/paste or mount as ISO). Run the installer, accept defaults, and click Install.
  14. Close and reopen IIS Manager (this is required for the ARR module to appear).
  15. In IIS Manager, click the server name (top-level node) in the left panel. In the centre panel, you should now see Application Request Routing Cache. Double-click it. In the Actions panel (right side), click Server Proxy Settings.... Check the Enable proxy checkbox and click Apply in the Actions panel.

Step 24f: Configure Backend Proxy (Separate Server)

Because the backend is on a separate server (ELYSE-BE01), you must edit the web.config file to point to the backend server:

  1. In File Explorer, navigate to C:\inetpub\wwwroot\Elyse\frontend\.
  2. Right-click web.config and select Open with > Notepad.
  3. Find the line containing http://127.0.0.1:5000/api/{R:1} (this is the BackEndProxy rewrite rule).
  4. Change it to: http://ELYSE-BE01:5000/api/{R:1}
  5. Save the file (Ctrl+S) and close Notepad.

This tells the frontend IIS site to proxy API requests to the backend server on ELYSE-BE01.

Step 24g: Configure Windows Firewall

Allow inbound connections on port 8080 so the workstation (ELYSE-WK01) can access the frontend:

  1. On ELYSE-FE01, open PowerShell as Administrator (right-click PowerShell and select Run as administrator).
  2. Run the following command and press Enter: 
    New-NetFirewallRule -DisplayName "Elyse Frontend HTTP" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow
  3. Verify the rule was created: 
    Get-NetFirewallRule -DisplayName "Elyse Frontend HTTP" | Select-Object DisplayName, Enabled, Direction, Action

    Expected output: DisplayName = "Elyse Frontend HTTP", Enabled = True, Direction = Inbound, Action = Allow

Step 24h: Verify IIS Configuration

  1. Open IIS Manager and verify the ElyseFrontend site is listed under Sites and shows Status = "Started".
  2. Verify the site's Physical Path points to C:\inetpub\wwwroot\Elyse\frontend.
  3. Verify the Binding shows Port 8080.
  4. Click on ElyseFrontend site, then double-click Authentication. Verify Anonymous Authentication is Enabled.
Note: Full frontend testing will be performed from the workstation (ELYSE-WK01) in later steps after test user accounts are created. Testing from the server itself is not recommended as it bypasses the proper Kerberos authentication flow. The frontend deployment is now complete.
For complete frontend installation details, see the Frontend Installation guide. The steps above cover the essential configuration for the domain-in-a-box lab environment.

PHASE 6: WORKSTATION (ELYSE-WK01)

The workstation VM provides a domain-joined Windows 11 client for testing the application as an end user would experience it.

Important: While this phase is optional for production environments (where users already have domain-joined PCs), it is required for lab testing. Kerberos pass-through authentication can only be properly tested from a domain-joined workstation — not from the server itself. Without this VM, you cannot verify that the complete authentication chain (browser → frontend → backend → SQL Server) works transparently.

Step 25: Download Windows 11 Enterprise ISO

If not already downloaded:

  1. On your physical host machine (not inside a VM), open a web browser.
  2. Go to the Microsoft Evaluation Center — Windows 11 Enterprise.
  3. Click the download link for the 64-bit ISO. You may need to fill out a brief registration form.
  4. The download is approximately 6–7 GB. Save it to C:\Lab-Elyse\ISOs\.

Step 26: Create the ELYSE-WK01 Virtual Machine

  1. In Hyper-V Manager, right-click your computer name > New > Virtual Machine...
  2. Walk through the wizard:
    1. Before You Begin: Click Next.
    2. Name and Location: Name: ELYSE-WK01. Tick “Store in a different location”, browse to C:\Lab-Elyse\WK01. Click Next.
    3. Generation: Generation 2 (required for Windows 11). Click Next.
    4. Memory: 4096 MB. Uncheck Dynamic Memory. Click Next.
    5. Networking: Elyse-Internal-Switch. Click Next.
    6. Hard Disk: 64 GB. Click Next.
    7. Installation Options: Browse to your Windows 11 Enterprise ISO. Click Next.
    8. Summary: Click Finish.
  3. Hardware Tweaks (critical for Windows 11): Right-click ELYSE-WK01 > Settings...
    • Security: Ensure Enable Trusted Platform Module (TPM) is ticked. Windows 11 will refuse to install without this.
    • Processor: Set to 2.
    Click OK.

Step 27: Install Windows 11

  1. Right-click ELYSE-WK01 > Connect.... Click the green Start button.
  2. Immediately press any key when “Press any key to boot from CD or DVD” appears.
  3. Follow the installer prompts:
    1. Select your language and keyboard. Click Next.
    2. Click Install now.
    3. If asked for a product key, click “I don’t have a product key” (the Enterprise Evaluation usually skips this).
    4. Select Windows 11 Enterprise. Click Next.
    5. Accept the license terms. Click Next.
    6. Select Custom: Install Windows only (advanced).
    7. Select Drive 0 (64 GB). Click Next.
  4. Wait for installation. The VM will restart.
  5. When asked “How would you like to set up this device?”, choose Set up for work or school.
  6. On the sign-in screen, look for Sign-in options and choose Domain join instead (or “Local account”). We want a local desktop first so we can set the IP and join the domain properly.

OOBE Network Bypass

Windows 11 may insist on a network connection before letting you continue. Since our lab has no internet, you need to bypass this:

  1. On the “Let’s connect you to a network” screen, press Shift + F10 on your keyboard. (On some laptops, you may need Shift + Fn + F10.) A black Command Prompt window opens.
  2. Type the following command exactly and press Enter: OOBE\BYPASSNRO
  3. The VM will automatically reboot and return to the beginning of setup.
  4. Go through the Region and Keyboard screens again.
  5. This time, on the “Let’s connect you to a network” screen, you will see a new option: “I don’t have internet”. Click it.
  6. On the next screen, click “Continue with limited setup”.

Create a local user (e.g., LabAdmin) and set a password. Complete the remaining setup screens to reach the desktop.

Step 28: Configure Networking and Join Domain (ELYSE-WK01)

Set the Static IP

  1. Right-click the Start button > Run. (Or press Windows Key + R.)
  2. Type ncpa.cpl and press Enter.
  3. Right-click Ethernet > Properties.
  4. IMPORTANT: Leave IPv6 enabled. Do NOT uncheck Internet Protocol Version 6 (TCP/IPv6). See the critical warning in Step 9 about IPv6.
  5. Select Internet Protocol Version 4 (TCP/IPv4) > Properties. Enter:
    IP address10.0.0.50
    Subnet mask255.255.255.0
    Default gateway(leave blank)
    Preferred DNS10.0.0.10
  6. Click OK, then Close.

Join the Domain (Windows 11 method)

Important: The domain join process on Windows 11 is different from Windows Server. Follow these steps carefully.
  1. Click Start > Settings (the gear icon).
  2. Click Accounts in the left sidebar.
  3. Click Access work or school.
  4. Click the Connect button.
  5. CRITICAL: Do NOT type anything in the email box at the top. Instead, look at the very bottom of the pop-up window for the link: “Join this device to a local Active Directory domain”. Click that link.
  6. Type the domain name: elyse.local. Click Next.
  7. Enter credentials:
    User nameELYSE\Administrator
    Password(your lab password)
  8. Click OK through any prompts and Restart the VM.

Verify the Domain Join

  1. After the reboot, at the login screen, click Other User (bottom-left).
  2. Look at the bottom of the screen — it should say “Sign in to: ELYSE”.
  3. Log in as:
    User nameELYSE\Administrator
    Password(your lab password)

If you see “Sign in to: ELYSE” and can log in, the domain join was successful.

Configure Remote Desktop Users for Enhanced Session Mode (Optional)

Windows 11 in Hyper-V uses Enhanced Session Mode for clipboard integration and better display resolution. This requires Remote Desktop permissions. To enable clipboard functionality for test users:

First, verify Enhanced Session Mode is enabled in Hyper-V:

  1. In Hyper-V Manager on the host, click on your host computer name in the left panel (not the VM).
  2. In the right panel, click Hyper-V Settings...
  3. In the left panel, click Enhanced Session Mode Policy.
  4. Ensure "Allow enhanced session mode" is checked. If not, check it and click OK.

Then, grant Remote Desktop permissions to test users:

  1. On ELYSE-WK01 (logged in as ELYSE\Administrator), press Windows Key + R.
  2. Type: lusrmgr.msc and press Enter.
  3. In the left panel, click Groups.
  4. In the right panel, double-click Remote Desktop Users.
  5. Click the Add... button.
  6. Click the Locations... button, select elyse.local, then click OK.
  7. In the "Enter the object names to select" box, type: Elyse_Users
  8. Click Check Names (it should underline and show as ELYSE\Elyse_Users).
  9. Click OK, then OK again to close the Remote Desktop Users Properties window.
  10. Close the Local Users and Groups window.
  11. Restart ELYSE-WK01 for the changes to take effect.
Note: This step enables clipboard sharing between the host and ELYSE-WK01 when using Hyper-V Enhanced Session Mode. If you prefer to work without clipboard integration, you can skip this step and disable Enhanced Session Mode in Hyper-V Manager (View menu > uncheck Enhanced Session).

PHASE 7: POST-DEPLOYMENT

Step 29: Create Test User Accounts

Before you can test the application, you need regular domain user accounts. The Administrator account should not be used for application testing — it is not a member of the Elyse_Users group and is not representative of how real users will access the system.

Switch to ELYSE-DC01 and open Active Directory Users and Computers (Server Manager > Tools > Active Directory Users and Computers).

  1. In the left panel, expand elyse.local and click on the Elyse OU.
  2. Right-click the Elyse OU > New > User.
  3. Create the first test user:
    First nameJane
    Last nameSmith
    User logon namejsmith
    Click Next. Set the password to your lab password. Uncheck “User must change password at next logon” and check “Password never expires” (for lab convenience). Click Next, then Finish.
  4. Repeat to create a second test user:
    First nameJohn
    Last nameDoe
    User logon namejdoe
  5. CRITICAL: Add both users to the Elyse_Users security group. This step is required for users to access the application and log in to the workstation:
    1. In the right panel of ADUC (still in the Elyse OU), scroll down and double-click the Elyse_Users group to open its properties.
    2. Click the Members tab.
    3. Click Add...
    4. Type: jsmith; jdoe and click Check Names. Both names should become underlined.
    5. Click OK, then OK again.
    6. Verify: The Members tab should now show both jsmith and jdoe in the list.
Important: Users MUST be members of the Elyse_Users security group to access the application. If users are not added to this group, they will experience:
  • Blank page or timeout errors when accessing the application
  • Remote Desktop login errors on the workstation (if using Hyper-V Enhanced Session Mode)
  • Authentication failures in the backend logs

Step 30: Bootstrap and Test the System

Browser Requirement: Before proceeding, ensure you have a modern web browser on ELYSE-WK01. Windows 11 includes Microsoft Edge, but the version bundled with the OS may be too old to run the modern Angular application (Edge 86 from 2020 does not support ES2020+ JavaScript). If you encounter JavaScript syntax errors or a blank page, install Google Chrome using the offline installer:
  1. On a machine with internet access, download GoogleChromeStandaloneEnterprise64.msi from https://cloud.google.com/chrome-enterprise/browser/download/
  2. Transfer the installer to ELYSE-WK01 (e.g., via shared folder or USB)
  3. Double-click the MSI to install Chrome
Alternatively, ensure Edge is updated to version 120 or later, or use Firefox 100+.
Important: Log in to ELYSE-WK01 as a test user (e.g., ELYSE\jsmith), not as ELYSE\Administrator. The Administrator account is not a member of the Elyse_Users group and cannot access the application. Testing as a regular user is essential to verify that Kerberos pass-through authentication is working correctly.

Follow Bootstrapping to:

In this lab context:

LAB ENVIRONMENT SUMMARY

When all phases are complete:

VMIPRole
ELYSE-DC0110.0.0.10Domain Controller for elyse.local
ELYSE-SQL0110.0.0.20SQL Server with Elyse_DB database
ELYSE-BE0110.0.0.30.NET backend on IIS with KCD
ELYSE-FE0110.0.0.40Angular frontend on IIS
ELYSE-WK0110.0.0.50Windows 11 workstation for testing

Service Accounts

AccountPurpose
ELYSE\svc_sqlSQL Server Database Engine
ELYSE\svc_elyse_beIIS Application Pool (backend)

Security Group

ELYSE\Elyse_Users — Users permitted to access Elyse

SPNs

SPNAccountPurpose
MSSQLSvc/ELYSE-SQL01.elyse.local:1433svc_sqlSQL Server (FQDN)
MSSQLSvc/ELYSE-SQL01:1433svc_sqlSQL Server (short name)
HTTP/ELYSE-BE01.elyse.localsvc_elyse_beBackend HTTP (FQDN)
HTTP/ELYSE-BE01svc_elyse_beBackend HTTP (short name)
HTTP/ELYSE-FE01.elyse.localsvc_elyse_beFrontend proxy (FQDN) — allows backend to accept Kerberos tickets sent to the frontend hostname
HTTP/ELYSE-FE01svc_elyse_beFrontend proxy (short name)

KCD

svc_elyse_be is trusted for delegation to MSSQLSvc on svc_sql.