AWS Autoscaling Windows Instances in the Domain Environment

   Purpose of the Blog:

It’s been more than 4 years I’m working with AWS but still I feel that Autoscaling with Domain environment is a challenge for the Corporate, Especially if you have PCI and Corporate Policy which will not allow you to use AWS directory service or Simple AD serveries as it is not compliance with PCI.

AWS PCI compliance Services:

URL: https://aws.amazon.com/compliance/pci-dss-level-1-faqs/

And every time you go and ask AWS support they will give you nice document how we can achieve this using AWS Directory services or Sample AD. According to them it is the only way to achieve this at this moment.

So I faced lot of issues to designing autoscaling policy for many corporate organization who want to use autoscaling but not ready to sync the corporate AD with sample AD.

I have told few of my client in recent past the only way to autoscale in the domain environment is we have to use AWS Simple AD and they are not happy with my suggestion.

So this time I tried to do some POC before I tell a corporate client again the same things and yes I have an answer, “We can do this without using AWS directory services/Simple AD also”.

I have written the full steps below how you can achieve this in the domain environment.

Prepare your golden AMI:

• Launch a new windows server instance.
• Open the group policy management console using “gpedit.msc “ from run. Navigate to the console tree, click Scripts (Startup/Shutdown). The path is Computer Configuration\Windows Settings\Scripts (Startup/Shutdown). Select “PowerShell Script” put the below script and select the option “Run Windows PowerShell script first” and save it.

Sample PowerShell Script:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

$newDNSServers = "192.168.152.133","192.168.152.2"

$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.DNSServerSearchOrder -ne $null}

$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}

$domain = "myDomain"

$password = "myPassword!" | ConvertTo-SecureString -asPlainText -Force

$username = "$domain\myUserAccount"

$credential = New-Object System.Management.Automation.PSCredential($username,$password)

Add-Computer –DomainName -  $domain --OUPath "OU=”The OU where you wat to place autoscale servers”,DC=”Domain Prefix” ,DC=”Dommin suffix”  -Credential $credential

shutdown /r /t 90

del C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\script_name.ps1

The Script I used for my POC:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

$newDNSServers = "172.31.0.100 ","172.31.0.2"

$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.DNSServerSearchOrder -ne $null}

$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}

$domain = "aws.local"

$password = "Pass@word1" | ConvertTo-SecureString -asPlainText -Force

$username = "$domain\aws-autoscale"

$credential = New-Object System.Management.Automation.PSCredential($username,$password)

Add-Computer -DomainName $domain -OUPath "OU=aws-autoscale,DC=aws,DC=local" -Credential $credential

shutdown /r /t 90

del C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\test.ps1

 Note about above PowerShell Script: 

I do not want to hardcode the DNS server IP in the network config so I change the DNS setting by using first four command.

The last line “del” command is very important because you will end up with infinite loop if the script run again after the reboot (you need to reboot the system to reflect the domain level changes for the server).

•       I have installed IIS for my sample testing to check the autoscaling using ELB.
•       Once you have configured your webserver settings you need to use “Ec2Config.exe” and shutdown the instance with the process shown below (“Random -Shutdown with sysprep”). 

•  Wait for some time it will run the sysprep and stop the instance. This step is very important because in windows domain environment each computer should have it’s unique SID value. With the help of “Ec2Config.exe” you can retrieve the password from the AWS console for each instances which will come up during autoscaling.  To know more about windows syspep  please go through the below link
•  URL:  https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx
•  Create an AMI of the instance.

         Configure Autoscaling :

          Once the AMI creation is completed configure the autoscaling group. Please refer to the below document for       configuring autoscalling policy.

          URL : http://docs.aws.amazon.com/autoscaling/latest/userguide/setting-up.html

         Validate instances domain/workgroup profile:

          Login to the instances launched by the autoscaling group and check that whether it is added to the domain or     not.

          Few screenshot from my POC :

•         Instances are launched from the autoscaling group.

•      Login to the instances and check that it added to domain or not.

     Test your Sample web application by using ELB URL:                                                                                      

      Check the health of the ELB instances  ( I always prefer to configure http based health check) and  access the web application using the ELB URL.

         Screenshot form my POC:

Health check of the ELB instances launched by an autoscaling group.

Test the web application by using ELB URL.

        Clean up your OU:

      As we are using autoscalling for the domain environment, you can see lots of computer objects still exists in the OU which was already deleted by the autoscaling group termination policy. So it is very important to cleanup those Computer objects .You can use the blow PowerShell script and run it through windows task scheduler cleanup the resources which currently didn’t exist in the domain.

        PowerShell Script:

$then = (Get-Date).AddDays(-15) # The 15 is the number of days from today since the last logon.

        Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputer  # If you would like to Remove these computer accounts

Thanks for visiting my Blog Site.

Sudipta Saha

AWS Solution Architect –Professional Level (AWS-PSA-2596)