Active Directory in EC2: Basic
Forest
Requirements:
• At least two instances. This exercise assumes that they’re all Windows 2008.
• For the multi-instance ping check, you’ll need three instances.
• A unique security group for your forest.
• Base knowledge of setting up scheduled tasks and working with the Windows Server 2008 operating system/firewall.
• Knowledge of the Windows registry, and comfort in editing it.
The Domain Controller:
The first step to getting your domain up and running is to setup your domain
controller. You need your domain before you make your forest, after all. This section will give steps to getting a responsive Domain Controller going. First, get your
security group up and running. Open all ports to the security group, so these instances can talk to each other.
Part 1: Preparing your instance for Active Directory.
Since Active Directory secures even DNS, make sure you’re prepared for Kerberos authentication. That being said, time must be in sync. The following should be rolled out in batch file as a scheduled task to each machine:
w32tm /config /manualpeerlist:"0.north-america.pool.ntp.org
1.north-america.pool.ntp.org 2.north-1.north-america.pool.ntp.org" /update && w32tm /resync /rediscover
I have mine configured to run every five minutes, but we recommend at least five times per day.
Next, configure the DNS servers that your instance will use. Mine looked like this: Primary 127.0.0.1
Secondary 172.16.0.23
This is set by opening Control Panel, then Network and Sharing Center, then clicking “Manage Connections,” and opening the properties for the PV NIC. Once in there,
open the properties for IPv4. As a side note, that was just one DNS server, customers may use different DNS servers.
Next, you need to ensure the EC2Config Service isn’t going to put your instance(s) in to a reboot loop. Open the Start Menu, go to All Programs, open the
EC2ConfigService Settings program. Uncheck the boxes for “Set Computer Name” and “Set Password.”
Part 2: Installing the Directory Services role.
First, locate the Server Manager. This is in the bottom left corner next to the Start menu on the base Windows 2008 image (assuming you haven’t relocated or customized the Start menu, yet.) Go ahead and open it up.
Next, click “Add Roles.” From here, you’re looking for the “Active Directory Domain Services” role. Go ahead and install it.
NOTE: Don’t install the DNS server role at this point. This is taken care of during the promotion and configuration of your instance as a Domain Controller.
Part 3: DCPromo
1) Open a command prompt and run the command: dcpromo 2) Create a new forest. We're not joining a secondary DC. 3) Enter the FQDN.
4) Enter the NETBIOS name.
5) Enter the level of the Domain -> For this purpose, 2008. We're only using 2k8 instances for this.
6) Leave DNS server selected. Though, I'm quite positive you can host DNS offsite. ;) (tip for those fault-tolerant applications)
7) Choose DHCP.
8) Follow the rest of the prompts and you're set. DCpromo is very easy to do, and very step by step. Even in advanced installation (these steps pertain to advanced install).
9) Reboot.
Member Servers:
Step 1: Configure the DNS servers
Same method as before, only using this information: Primary: Internal IP of DC
Secondary: 172.16.0.23
For DNS lookups on member, you MUST use internal IP. There's no way to set it to listen on the external IP. This has been a real challenge for our EC2 AD customers:
http://developer.amazonwebservices.com/connect/thread.jspa? threadID=48476&start=15&tstart=0c
Step 2: Set up EC2Config Service.
Perform the same EC2Config Service changes that you did with the DC. Step 3: Join to the domain.
start->right click computer->properties->change name
Select the Domain option using the radio button, and use the FQDN that you setup for your domain. It will prompt you for the domain administrator password, so just enter that and you’re fine. It *should* work without disabling the firewall, but if it doesn’t, try disabling the firewall:
netsh advfirewall set allprofiles state off
To allow pings, you need to set the rule up in the firewall on the member servers. This is something you can find steps for anywhere online.
General “Gotchas”
IPv6
By default, IPv6 is still enabled on our Windows AMI’s. You’ll probably notice that the instances, when pinging the local host name (for example, pinging dc.test from dc.test) will return an IPv6 address. This is easily fixable and I’ve not noticed any downside to leaving IPv6 in place, so consider this completely optional. I must stress that you need to understand the Windows registry before proceeding, as there’s no easy way to recover if you make a mistake and mess up the registry.
Hint: Bundle an AMI here, and start with a member server so you can recover more easily.
So, now that you have this going…let’s do it.
Open your Start Menu, then Control Panel, then Network and Sharing Center, then click “Manage Connections,” and open the properties for the PV NIC. Uncheck the IPv6 box. This only disables it on the primary NIC and not tunnel interfaces or the loopback, so we’re not done yet. Don’t go rebooting your instance yet.
Now, open up regedit and edit your registry. Here’s the path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters Select Parameters and right-click it to make sure you’re creating the DWord (32-bit) in the Parameters key path. Create a new DWord named “DisabledComponents”.
You’ll see it appear in the right hand side where the components attached to the Parameters key are shown. Right click that, and modify its value (not binary value, please). Make sure you have it set to hex, and enter “FFFFFFFF” and hit OK.
Now, reboot the instance. Give the system time to come back up, and next time you connect, you’re only using IPv4! You’ll probably want to disable IPv6 on the rest of your domain members and controllers, but that’s up to you.
IP Address changes
As IP addresses in EC2 are not static, and if your DC is used as a DNS server, you will need to update all clients that point to this machine, so they can continue to use DNS after an IP change.
If/when the IP address of your DC changes, you can run the following from a command prompt on the DC:
ipconfig /registerdns netdiag /fix
And, if the IP address is in a new subnet, be sure to update Sites and Services in your AD too.
Also consider running DCDiag which can be downloaded from
here:-http://technet.microsoft.com/en-us/library/cc776854%28WS.10%29.aspx
Run dcdiag, netdiag and repadmin in verbose mode. -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log -> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt -> dnslint /ad /s "ip address of your dc"
Description and download for dnslint:-http://support.microsoft.com/kb/321045
