2 Oct 2013

MS Server 2012 AD via VPN in AWS VPC for Windows 8

Selective adoption of cloud infrastructure offers many advantages for Enterprise IT and in this post we are going to look at running a Microsoft Server 2012 Active Directory Domain Controller in an Amazon Web Services Virtual Private Cloud. Authentication for localised Windows 8 clients is provided via a secure IPSec enabled VPN tunnel.
This model provides a seamless extension of the business LAN whilst removing a need to source and accommodate expensive physical server hardware.

As usual we've a produced a lovely top level schematic for you to help clarify how everything hangs together (Fig:1). Let's take a look at that first and then breakdown the ins and outs of what's going on:


So, what do we have here and how do we (you) put it together? A good place to start are the AWS 'Scenario' pages, following on from there to use the AWS VPC wizards under your account in the AWS console, both of which are excellent.



In our example we are using a modified version of Scenario 4 with a single subnet and an added internet gateway (igw). The igw is not essential for AD functionality and is configured for ease so that the Server 2012 instance can access and install the latest Windows security updates at first boot. Under corporate controlled space it may be the case that these updates are applied manually from a resultant staging or test environment.

After deciding on a scenario and installing your VPN router hardware run through the AWS VPC wizard and apply the the config it provides on your router to create and connect the VPN tunnel.

There are a couple of potential 'gotchas' worth mentioning here to help you with the initial VPN link up, the first being relevant security group entries in the AWS VPC SG required to connect from your LAN into the newly launched instance (i.e via RDP). RDP requires access via port TCP 3389 and it's also quite nice to have ICMP ping enabled (which server engineer doesn't use ping), there are also a range of ports required for AD authentication. To facilitate connectivity during setup you may like to open up full access to/from your business LAN from the word go. It's far easier to lock down ports once everything is working and as we are connecting to our VPC and subnet via a secure IPsec VPN tunnel an open security group for our LAN isn't really a major concern. Here's a grab of open AWS VPC SG config to match our example (Fig:2):


You should now be able to ping and RDP into the new instance, the next stage is to create an igw and associate it with the route table (Fig:3):


Launch a suitable MS Server 2012 EC2 base instance into the VPC subnet (, check 'Auto-assign a public IP' (needed for internet access), connect, and configure it with the Active Directory Domain Services role as a Domain Controller.

AD DS installation is outside the scope of this article although we would be more than happy to provide supplemental advice on a project basis should you require assistance. That said, there are a couple of pointers still worth a mention with relation to the model we are describing. Firstly, make sure to install the DNS service and set the server to point at itself, secondly (and more obviously) promote the server to Domain Controller status (as DC in a new forest).

With AD DS installed and the server running as a DC it's time to complete the loop by joining your local Windows 8 client(s) to the AWS VPC hosted MS AD 2012 Domain via the VPN connection, and an easy trick to make this go smoothly once again involves DNS settings (most things do). Just make sure the local Windows 8 client has the AD DC set as its main DNS server, with local DNS as secondary for your LAN gateway to ensure the client still has direct internet access itself. Fig:4 shows how these entries would look on the Windows 8 client for our example:


Windows 8 domain join hasn't changed from Windows 7 (or before) and is carried out via the System and Security applet of Control Panel under Computer name, Domain and Workgroup settings (Change settings). Input the AD domain name plus the DC Administrator name and password when prompted, if all goes well you'll get the 'Welcome to the <your-domain-name-here> Domain' message. Reboot, CTRL+ALT+DELETE and log in with a relevant user name from the AD domain.

With basic domain login and auth configured you may wish to continue into group policy configs for mapped home directories or w.h.y, and again this is outside the scope of this article (we would be here all week, if not longer).

If you would like information on any procedures detailed in this post, or have any cloud related, AWS or Linux support requirements please feel free to get in touch with us to discuss your needs. Cirronix are an AWS Consulting Partner and would be more than happy to help you with your projects.

No comments:

Post a Comment