Microsoft Active Directory and EC2

On September 30th, Amazon announced they would no longer charge a higher per hour fee for Windows servers utilizing authentication services. The new pricing makes windows on EC2 a lot more attractive then it had been previously. The differentation…

On September 30th, Amazon announced they would no longer charge a higher per hour fee for Windows servers utilizing authentication services. The new pricing makes windows on EC2 a lot more attractive then it had been previously. The differentation between windows and windows with authentication services was always an agitation previously.
The new pricing is great, but i’ve been doing a lot of research and experimentation with running a domain on Amazon EC2. Running a domain on EC2 is more complicated then it should be, and requires a lot more due dilligence and scripting of your windows instances to successfully work in the domain structure.
Setting up a windows domain is a straightforward process that any MCSE should be able to accomplish. A WIndows 2003/2008 server can be turned into a domain controller by running the DCpromo utility and following a simple wizard. Of course you need to make sure you properly size your AD sysvol and place it on the D: drive of the server.
Once the domain is configured and setup, it starts to get tricky and overly complex. There was an aritlce on Amazons developer site that detailed some of the backup and DR practices you, but it seems to have been pulled. I’ve linked to a cached copy, but will keep checking back in case they republish or update the article.
http://74.125.155.132/search?q=cache:CqMDdqzir20J:developer.amazonwebservices.com/connect/entry.jspa%3FexternalID%3D2435+Creating+an+Active+Directory+Domain+in+Amazon+EC2&cd=1&hl=en&ct=clnk&gl=us
As you can see from the document they state that you need to ensure that you have solid backups of your Active Directory environment. Ideally you’d want to store these backups on S3, persistent drive or a server in your local environment. They also advise that you must always have two domain controllers running in the event that an instance becomes degraded.
If your primary domain controller becomes corrupted you deploy another server, run dcpromo and add the new server to the domain structure. They do neglect to mention that if you were to take this approach you need to take careful care to monitor your FSMO roles, DNS server configuration/status and also ensure your global catalog is fully replicated to all domain servers.  Also when an old instance has terminated you will need to make sure you remove the domain controller from the AD structure so you don’t attempt to replicate accounts and objects to a server that no longer exists.
A normal windows/linux instance can be created, configured and setup and then you can follow the document to create an AMI image of the server that you can reuse to deploy identical images. Unfortunately part of the point of an AMI is that these servers are unique and in a windows world the deployment process resets the GUID. Because of this you can’t just setup 3 or 4 servers with images to to be your domain controller as they woudn’t function as a domain when they were brought online.
The other large problem you have to deal with is the DNS server, having multiple DNS servers that may or may not exist will require quite a bit of maintenance activity making sure each domain controller has DNS, that the records are being purged correctly, and that your client machines are pointing to a static IP mapping that you can move from server to server.
Not only do you have this increased complexity with the domain controllers and DNS your windows instance that run your databases, applications, etc will also need some additional tweaking to work properly. You’ll need to create scripts that add the instances to the domain as the instance is initiated, this will allow the instance to be part of the domain and leverage domain policies and accounts. As instances can be a temporary item, you’ll also need to make sure you regularly purge old instances from the Domain and DNS records.  This additional scripting and processes require extra time and testing in building your AMI images.
The advice given by amazon and all of these best practices are great, but I do recall issues when EC2 was still in beta with the entire EC2 cloud needing to be restarted. This results in the need to start all brand new instances, and you may not have the luxury of a previous domain controller to ensure your domain structures. This means you’ll be restoring your AD infrastructure from your backups.
Utlimately, the fault here doesn’t lie in Amazons systems, but really the whole domain concept that Microsoft has built. Its not a very cloud ready service, relying heavily on SMB traffic and local networks. Ideally an active directory design that leverages native TCP/IP, easy domain memberships and the ability to be started off an AMI would be a huge improvement ot the current AD structure.  In a perfect world though, I’d actually prefer to leverage Active Directory as a service from a SaaS provider or managed services vendor that I could leverage in Amazon or any cloud provider.
I’d love to get feedback on what others are doing to solve these WinAD problesm in the cloud. I’m planning on doing some further research around Read Only Domain Controllers, Federated Domain services and ADAM (Active Directory Application Mode) as they may be better solutions in the long term for what i’m working on accomplishing.

On September 30th, Amazon announced they would no longer charge a higher per hour fee for Windows servers utilizing authentication services. The new pricing makes windows on EC2 a lot more attractive then it had been previously. The differentation between windows and windows with authentication services was always an agitation previously.The new pricing is great, but i’ve been doing a lot of research and experimentation with running a domain on Amazon EC2. Running a domain on EC2 is more complicated then it should be, and requires a lot more due dilligence and scripting of your windows instances to successfully work in the domain structure.Setting up a windows domain is a straightforward process that any MCSE should be able to accomplish. A WIndows 2003/2008 server can be turned into a domain controller by running the DCpromo utility and following a simple wizard. Of course you need to make sure you properly size your AD sysvol and place it on the D: drive of the server.Once the domain is configured and setup, it starts to get tricky and overly complex. There was an aritlce on Amazons developer site that detailed some of the backup and DR practices you, but it seems to have been pulled. I’ve linked to a cached copy, but will keep checking back in case they republish or update the article.Active Directory on Amazon EC2As you can see from the document they state that you need to ensure that you have solid backups of your Active Directory environment. Ideally you’d want to store these backups on S3, persistent drive or a server in your local environment. They also advise that you must always have two domain controllers running in the event that an instance becomes degraded.If your primary domain controller becomes corrupted you deploy another server, run dcpromo and add the new server to the domain structure. They do neglect to mention that if you were to take this approach you need to take careful care to monitor your FSMO roles, DNS server configuration/status and also ensure your global catalog is fully replicated to all domain servers.  Also when an old instance has terminated you will need to make sure you remove the domain controller from the AD structure so you don’t attempt to replicate accounts and objects to a server that no longer exists.A normal windows/linux instance can be created, configured and setup and then you can follow the document to create an AMI image of the server that you can reuse to deploy identical images. Unfortunately part of the point of an AMI is that these servers are unique and in a windows world the deployment process resets the GUID. Because of this you can’t just setup 3 or 4 servers with images to to be your domain controller as they woudn’t function as a domain when they were brought online.The other large problem you have to deal with is the DNS server, having multiple DNS servers that may or may not exist will require quite a bit of maintenance activity making sure each domain controller has DNS, that the records are being purged correctly, and that your client machines are pointing to a static IP mapping that you can move from server to server.Not only do you have this increased complexity with the domain controllers and DNS your windows instance that run your databases, applications, etc will also need some additional tweaking to work properly. You’ll need to create scripts that add the instances to the domain as the instance is initiated, this will allow the instance to be part of the domain and leverage domain policies and accounts. As instances can be a temporary item, you’ll also need to make sure you regularly purge old instances from the Domain and DNS records.  This additional scripting and processes require extra time and testing in building your AMI images.The advice given by amazon and all of these best practices are great, but I do recall issues when EC2 was still in beta with the entire EC2 cloud needing to be restarted. This results in the need to start all brand new instances, and you may not have the luxury of a previous domain controller to ensure your domain structures. This means you’ll be restoring your AD infrastructure from your backups.Utlimately, the fault here doesn’t lie in Amazons systems, but really the whole domain concept that Microsoft has built. Its not a very cloud ready service, relying heavily on SMB traffic and local networks. Ideally an active directory design that leverages native TCP/IP, easy domain memberships and the ability to be started off an AMI would be a huge improvement ot the current AD structure.  In a perfect world though, I’d actually prefer to leverage Active Directory as a service from a SaaS provider or managed services vendor that I could leverage in Amazon or any cloud provider.I’d love to get feedback on what others are doing to solve these WinAD problesm in the cloud. I’m planning on doing some further research around Read Only Domain Controllers, Federated Domain services and ADAM (Active Directory Application Mode) as they may be better solutions in the long term for what i’m working on accomplishing.

1 thought on “Microsoft Active Directory and EC2”

Leave a Reply

Your email address will not be published. Required fields are marked *