Purpose of the Blog:
It’s been more than 4 years I’m working with AWS but still I
feel that Autoscaling with Domain environment is a challenge for the Corporate,
Especially if you have PCI and Corporate Policy which will not allow you to use
AWS directory service or Simple AD serveries as it is not compliance with PCI.
AWS PCI compliance
Services:
And every time you go and ask AWS support they will give you
nice document how we can achieve this using AWS Directory services or Sample
AD. According to them it is the only way to achieve this at this moment.
So I faced lot of issues to designing autoscaling policy for
many corporate organization who want to use autoscaling but not ready to sync
the corporate AD with sample AD.
I have told few of my client in recent past the only way to
autoscale in the domain environment is we have to use AWS Simple AD and they
are not happy with my suggestion.
So this time I tried to do some POC before I tell a
corporate client again the same things and yes I have an answer, “We can do this without using AWS directory
services/Simple AD also”.
I have written the full steps below how you can achieve this
in the domain environment.
Prepare your golden AMI:
- Launch a new windows server instance.
- Open the group policy management console using
“gpedit.msc “ from run. Navigate to the console tree, click Scripts
(Startup/Shutdown). The path is Computer
Configuration\Windows Settings\Scripts (Startup/Shutdown).
Select “PowerShell Script” put the
below script and select the option “Run Windows PowerShell script first” and
save it.
Sample
PowerShell Script:
Set-ExecutionPolicy -ExecutionPolicy
RemoteSigned -Force
$newDNSServers =
"192.168.152.133","192.168.152.2"
$adapters = Get-WmiObject
Win32_NetworkAdapterConfiguration | Where-Object {$_.DNSServerSearchOrder -ne
$null}
$adapters | ForEach-Object
{$_.SetDNSServerSearchOrder($newDNSServers)}
$domain = "myDomain"
$password = "myPassword!" |
ConvertTo-SecureString -asPlainText -Force
$username =
"$domain\myUserAccount"
$credential = New-Object
System.Management.Automation.PSCredential($username,$password)
Add-Computer –DomainName - $domain --OUPath "OU=”The OU where you
wat to place autoscale servers”,DC=”Domain Prefix” ,DC=”Dommin suffix” -Credential $credential
shutdown /r /t 90
del
C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\script_name.ps1
The Script I used
for my POC:
Set-ExecutionPolicy -ExecutionPolicy
RemoteSigned -Force
$newDNSServers = "172.31.0.100 ","172.31.0.2"
$adapters = Get-WmiObject
Win32_NetworkAdapterConfiguration | Where-Object {$_.DNSServerSearchOrder -ne
$null}
$adapters | ForEach-Object
{$_.SetDNSServerSearchOrder($newDNSServers)}
$domain = "aws.local"
$password = "Pass@word1" |
ConvertTo-SecureString -asPlainText -Force
$username =
"$domain\aws-autoscale"
$credential = New-Object
System.Management.Automation.PSCredential($username,$password)
Add-Computer -DomainName $domain
-OUPath "OU=aws-autoscale,DC=aws,DC=local" -Credential $credential
shutdown /r /t 90
del
C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\test.ps1
Note about above PowerShell Script:
I do not want to hardcode the DNS server IP in the network
config so I change the DNS setting by using first four command.
The last line “del” command is very important because you
will end up with infinite loop if the script run again after the reboot (you
need to reboot the system to reflect the domain level changes for the server).
- I have installed IIS for my sample testing to
check the autoscaling using ELB.
- Once you have configured your webserver settings
you need to use “Ec2Config.exe” and shutdown the instance with the
process shown below (“Random -Shutdown with sysprep”).
- Wait for some time it will run the sysprep and
stop the instance. This step is very important because in windows domain
environment each computer should have it’s unique SID value. With the help of “Ec2Config.exe” you can retrieve the password from the AWS console
for each instances which will come up during autoscaling. To know more about windows
syspep please go through the below link
- URL: https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx
- Create an AMI of the instance.
Configure Autoscaling
:
Once the AMI creation is completed configure the autoscaling
group. Please refer to the below document for configuring autoscalling policy.
Validate instances
domain/workgroup profile:
Login to the instances launched by the autoscaling group and
check that whether it is added to the domain or not.
Few screenshot from
my POC :
- Instances are launched from the autoscaling
group.
- Login to the instances and check that it
added to domain or not.
Test your Sample web
application by using ELB URL:
Check the health of the ELB instances ( I always
prefer to configure http based health check) and access the web application
using the ELB URL.
Health check of the ELB instances launched by an
autoscaling group.
Test the web application by using ELB URL.
Clean up your OU:
As we are using autoscalling for the domain environment, you
can see lots of computer objects still exists in the OU which was already
deleted by the autoscaling group termination policy. So it is very important to
cleanup those Computer objects .You can use the blow PowerShell script and run
it through windows task scheduler cleanup the resources which currently
didn’t exist in the domain.
PowerShell Script:
$then =
(Get-Date).AddDays(-15) # The 15 is the number of days from today since the
last logon.
Get-ADComputer -Property Name,lastLogonDate
-Filter {lastLogonDate -lt $then} | Remove-ADComputer # If you would like to Remove these computer
accounts
Thanks for visiting
my Blog Site.
Sudipta Saha
AWS Solution
Architect –Professional Level (AWS-PSA-2596)
