Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > ServerTemplates > Infinity > ST > Microsoft Active Directory (v14 Infinity) > Microsoft Active Directory (v14 Infinity) - Runbook

Microsoft Active Directory (v14 Infinity) - Runbook

 

Table of Contents    

Infinity

Leading edge features

    ►  Runbook
  • Reference

Common Operational Tasks

Add Additional Domain Controllers

Important! To ensure successful replication between domain controllers, you must launch an additional domain controller in the same deployment, cloud, and region (when applicable).

  1. Clone the "primary" domain controller server and name the new server accordingly. (e.g. AD Additional) 
  2. (If you're using AWS) Under the Info tab of the additional server, change the availability zone.
  3. Under the server's Inputs tab, set the following inputs. Typically, you will only want to change the AD_DOMAIN_CONTROLLER input and set the PDC_DNS_IP input. The other inputs should probably be inherited from the deployment level and match the inputs set for the primary server.
Input Name Description Example Value
AD_ADMIN_PASSWORD Set the password for the privileged Active Directory account. This should be at least 7 characters long with at least one uppercase letter, one lowercase letter, and one digit. It's strongly recommended that you use a RightScale Credential (Design > Credentials) to hide the actual password from non-admin users while still allowing them to pass the appropriate value as an input. Ex: cred:MY_AD_ADMIN_PASSWORD cred: AD_ADMIN_PASSWORD
AD_DOMAIN_NAME This is fully qualified Active Directory domain name for this server. Example: mydomain.local text: mydomain.local
AD_NETWORK INTERFACE Use this input to specify which network interface should be used for network communication between domain controllers and member servers. The recommended option is to use private interface. Example: text:private text: private
AD_SAFE_MODE_ADMIN_PASSWORD Administrator's account password for safe mode. This password is used for disaster recovery of Active Directory. It's strongly recommended that you use a RightScale Credential (Design > Credentials) to hide the actual password from non-admin users while still allowing them to pass the appropriate value as an input. Example: cred:AD_SAFE_MODE_PASSWORD cred: AD_SAFE_MODE_ADMIN_PASSWORD
AD_LINEAGE_NAME WARNING: AD Backups will not work if the server is locked. The lineage of the Active Directory backups. A string that is used to track all backups in a certain 'set', usually deployment wide. Ex: ADBACKUP text: mylineage
ADMIN_PASSWORD Set the password for the local Administrator account. This should be at least 7 characters long with at least one uppercase letter, one lowercase letter, and one digit. cred: ADMIN_PASSWORD
SYS_WINDOWS_TZINFO Sets the system timezone to the timezone specified, which must be a valid Windows timezone entry. You can find a list of valid examples using TZUTIL /L from command prompt. You may override the dropdown if you do not see your timezone listed. text: UTC
  1. Launch the additional server.

ENABLE CONTINUOUS BACKUPS - Establish a Backup Schedule

Default: Weekly backups

As covered in the Microsoft documentation (including the Microsoft TechNet article Backing Up Active Directory Domain Services), you should schedule regular Active Directory backups to support dependable operations. The Microsoft Active Directory ServerTemplate includes an operational script for this: SYS Install AD backup policy. This script creates a Windows scheduled task to run periodic system state backups.

Assuming that your cloud supports volume storage, backups are initially saved as volume snapshots. (See About Elastic Block Store (EBS) for more information about how volume snapshots are stored and referenced.) 

After setting up domain controllers, we recommend running SYS Install AD backup policy to create a scheduled backup task on one or more of your servers. The SYS Install AD backup policy operational script references another operational script, AD Create system state backup, which, in turn, creates a system state backup of the server using the inputs listed in the next table. For security reasons, the script creates a new Windows domain account—AdBackup—with a randomly generated password, under which the scheduled task runs.

By default, the scheduled task will run once per week, every Sunday at 3:00 AM. However, you can customize this schedule to meet your needs, using the "SCHEDULE" RightScript inputs listed in the table below. Microsoft recommends that you schedule daily backups on at least two unique domain controllers in your configuration. All user inputs listed in the following table are optional; the script-defined default values applied when these inputs are left unset are listed in the "Description" column. 

BACKUP

Input Name Description Example Value
 AD_LINEAGE_NAME

WARNING: AD Backups will not work if the server is locked. The lineage of the Active Directory backups. A string that is used to track all backups in a certain 'set', usually deployment wide. Ex: ADBACKUP

text: mylineage

AD_BACKUP_KEEP_LAST The total number of Active Directory backups to keep on backup volume. When this limit has been reached, the oldest backup will be deleted but still could be restored from older snapshots. Default value is 5. Example: text:10 text: 5
AD_BACKUP_SCHEDULE Use this input to specify at which time(s) of the day to create a n Active Directory backup. This should be comma-separated list of HH:MM strings. Default value is 06:00. Example: 06:00,22:00 text: 06:00

Note: If you need to modify your scheduled backup task after running the AD Create system state backup script, you must log into your domain controller via RDC and edit it there. Running this script with different inputs does not update the existing scheduled task but, rather, creates an additional, new scheduled task.

Create a new user

Once the server is operational, run the AD DS Create a new user operational script with appropriate values for the following inputs.

The created user will NOT have 'administrator' privileges. The user will only be a member of the Domain Users group (FQDN_DOMAIN_NAME). Once a user is created you can adjust their permission accordingly in an RDP session.

Input Name Description Example Value
 AD_USER_FIRST_NAME

The first name of the new user. (e.g. John)

text: John

AD_USER_LAST_NAME The last name of a new user. (e.g. Smith) text: Smith
AD_USER_LOGIN The username of the new user. (e.g. jsmith) text: jsmith
AD_USER_PASSWORD

The password for the new user. 

The password must satisfy Window's minimum requirements for a Windows administrator password, otherwise the random password that is generated for you at boot time (located under the server's Info tab,'Initial Admin Password' field) will be used instead. The password should be at least 7 characters long with at least one upper case letter, one lower case letter and one digit.

Use a credential to hide this value from being displayed as text in the audit entry.

cred: JOHN_SMITH_PASSWORD

Create a new distribution group

A distribution group is created at boot time when the server is launched. However, if you want to create a new distribution group, run the AD DS Create a new group operational script with appropriate values for the following inputs.

Input Name Description Example Value
GROUP_DESCRIPTION

The description of the new group. (e.g. John)

text: Custom

GROUP_NAME The name of the new group. (e.g. Team A) text: Team A
GROUP_SCOPE

Defines the group's scope.

  • DomainLocal
  • Global
  • Universal
text: Universal
GROUP_TYPE

Defines the group's type.

  • Distribution - Use to send email to collections of users. It's not security-enabled, so they cannot be listed in discretionary access control lists (DACLs). 
  • Security - Use to set a permission for the object in Active Directory. Use to assign access permissions to shared resources on your network.
text: Security

Create a backup

To manually take a backup of the current state of the Active Directory database, run the AD DS Perform system state backup operational script with appropriate values for the following inputs.

Input Name Description Example Value
AD_LINEAGE_NAME

The Active Directory's lineage name is used to tag the volume snapshots appropriately for identification purposes. (e.g. rs_backup:lineage=ProjectName) Later when you restore the database on a new server, you will specify the lineage name so that the appropriate backup can be properly selected. (e.g. ProjectName)

text: ProjectName

AD_BACKUP_KEEP_LAST The total number of Active Directory backups to keep on backup volume. When this limit has been reached, the oldest backup will be deleted but still could be restored from older snapshots. Default value is 5. Example: text:10 text: 5

Check the backup to make sure that it contains the appropriate tags and is "available" for use before you attempt to use it for a restore task. For example, if you are using AWS, backups are saved as volume snapshots. 

  1. Go to Clouds > EC2-Region > Volume Snapshots.
  2. The snapshot should have a database lineage tag that matches the AD Lineage Name. In the example below, AD_LINEAGE_NAME = vitaly.

​​screen_AD-Backup-Snapshot_v1.png

DISASTER RECOVERY - Restore from a backup

You can only use the restore script highlighted below if you have at least one completed backup snapshot of the Active Directory's data store that was created by running the AD DS Perform system state restore script.

  1. Clone the existing AD server.
  2. Launch the cloned server.
  3. At the Inputs Confirmation page, set the following inputs with the appropriate values. By default, the most recently completed backup (as specified by the AD_LINEAGE_NAME input) will be used to restore the database. However, you can use the following inputs to select an older backup or one from a different lineage, if desired.
Input Name Description Example Value
AD_LINEAGE_NAME

The Active Directory's lineage name is used to identify the correct backup snapshot to use for a restoration. The script will select the backup snapshot by using its tag. (e.g. rs_backup:lineage=mylineage)

text: mylineage

AD_RESTORE_MODE Since you are using a backup volume snapshot to restore the database, set this inpute to 'true' instead of 'false' (default). text: true
AD_RESTORE_TIMESTAMP

If left undefined, the most recently completed backup snapshot will be used by default. To use a specific backup, specify the timestamp of the desired backup snapshot, which is denoted by the 'timestamp' tag.

For example, if the snapshot has the following tag, 'rs_backup:timestamp=1358980379' you would specify '1358980379' for this input.

text: 1358980379
BACKUP_VOLUME_SIZE The size of the backup volume in gigabytes. You should have already set this input prior to launching the server. (e.g. 20) text: 20
VOLUME_SIZE

Specify the size of the volumes (in gigabytes) for the Active Directory data and log files.  (e.g. 10)

text: 10
  1. Launch the server. (Note: The server will reboot after restoring the Active Directory).

FAILOVER - Transfer or Seize FSMO roles

By default, the primary domain controller has "operations master" (i.e. Flexible Single Master Operations (FSMO)) roles. If you have both a primary and an additional domain controller connected on the same network domain, you can run the following script to transfer FSMO roles from the primary to the secondary. By default, the first domain controller that is launched becomes the primary domain controller. If you want to transfer FSMO roles to the additional/secondary domain controller,  run the AD DS Transfer FSMO roles (v14.x) operational script on the additional/secondary domain controller. No input values are required.

Create bulk set of new users

Use the AD DS Bulk create new user RightScript to create one or more new users in a bulk process, based on a comma-separated values (CSV) file. The CSV file attachment must be 100 MB or smaller. RightScript attachments larger than 100 MB are not supported. The CSV file should have the following four columns (i.e. fields per record):

  • First name
  • Last name
  • User name
  • Password


Example CSV format:

Anderson,John,j.anderson,Zxy34ig
Smith,Bob,bob.smith,Yhfnw2dss

 

Follow the steps below to add users.

  1. Since the CSV file must be uploaded to the server, you need to open a Remote Desktop connection and a upload file using the clipboard.
  2. If you are only going to perform this action once, simply run the modified RightScript as an 'Any Script' on the running server. However, if you always want the same bulk set of users to be created at launch time, you will need to clone the ServerTemplate and add the modified script to the end of the boot script list, and launch a new server with the modified ServerTemplate.
  3. Execute the AD DS Bulk create new user operational script and make sure you have the correct value for the following input.

 

Input Name Description Example Value
CSV_FILE_PATH Specify the full path to the CSV file on local file system. text: C:\Windows\Temp\userlist.csv

Change the Administrator password

To change the password of the 'administrator' user defined by the AD_ADMIN_ACCOUNT input.

To transfer or seize FSMO roles, run the AD Change Administrator password operational script with appropriate values for the following inputs.

Input Name Description Example Value
AD_ADMIN_PASSWORD Specify the new password for the 'administrator' user specified by the AD_ADMIN_ACCOUNT input. It's strongly recommended that you use a credential to hide this value. cred: NEW_AD_ADMIN_PASSWORD

Change the boot mode of the OS

Use the operational scripts below to change the server's boot mode. No inputs are required.

  • SYS Change to safe boot mode - Change boot mode of OS from normal to directory services restore mode (DSRM). DSRM mode allows to restore active directory from a backup to a new instance.
  • SYS Change to normal boot mode - Used to change boot mode of OS from DSRM to normal.

Update a DNS record with an IP address

By default, remote servers will connect/join an AD domain by using tags. However, if you want the server to connect to the AD using an IP or DNS record instead, use the following script and inputs to update an existing DNS record with the primary AD server's private/public IP address.

  1. Make sure the DNS record already exists with your DNS service provider. Currently, it should just have a placeholder IP address that you'll soon update with the desired public/private IP address of the primary AD server by executing the following script.
  2. Run the DNS Register IP operational script on the "primary" AD server.
  3. Provide values for the following required inputs.

 

Input Name Description Example Value
DNS_DOMAIN_NAME

If you are using a DNS service provider that references records by a FQDN instead of an string ID, use this input to specify the fully qualified domain name that points to the standalone or principal database server. (e.g. primary-ad.example.com)

Examples:

  • DynDNS:  primary-ad.example.com  (FQDN)
text: primary-ad.example.com 
DNS_ID

If you are using a DNS service provider that references records by a unique string ID, use this input to identify your standalone or principal database server to your DNS provider. 

Examples:

  • DNS Made Easy:  1234567  (Dynamic DNS ID)
  • Amazon Route53:  Z3DSDFSDFX (Hosted Zone ID)
text: 1234567
DNS_IP_ADDRESS

Specify whether to use the instance's private or public IP address to update the DNS record. 

  • Public IP
  • Private IP
text: Public IP
DNS_PASSWORD

The password used to log into your DNS provider. 

  • DNS Made Easy - DME Password
  • DynDNS - DynDNS Password
  • Amazon Route 53 - AWS Secret Access Key
cred: DNS_PASSWORD
DNS_SERVICE

Select the DNS provider that will be used to update the DNS record of the principal database server.

  • DNS Made Easy
  • DynDNS
  • Route53
text: 
DNS_TTL Specify the TTL of the DNS record that will be updated. (e.g. 60) text: 60
DNS_USER

The username used to log into your DNS provider. 

  • DNSMadeEasy - DME Username
  • DynDNS - DynDNS Username
  • Amazon Route 53 - AWS Access Key ID
cred: DNS_USERNAME

Connect or Disconnect a remote server to the domain controller using a FQDN or IP

To connect a remote server to a domain controller that was launched in a cloud using the Microsoft Active Directory ServerTemplate, you must first configure the domain controller to accept ingress communication from the remote server. See the Create a Windows firewall permission steps.

By default, remote servers will connect to the domain controller using tags. However, you may need to connect servers where tags are not available or supported. For example, perhaps the remote server is located in a different cloud/region where it does not have access to the domain controller on the private network or the tag scope of the deployment that contains the domain controller is not set to be account-wide and the remote server is located in a different deployment than the domain controller. In such cases, you can either connect to the primary AD server using an IP address or FQDN.

  1. Make sure the domain controller is configured to accept requests from the remote server. You may need to update the domain controller's firewall permissions accordingly.
  2. If you used a ServerTemplate to launch the remote server, run the following RightScripts as 'Any Scripts' on the running server. If you anticipate performing this action more than once, you may want to edit the ServerTemplate and add these RightScripts to the Operational Scripts list.
    • Execute the SYS Install RightScale Powershell library (v14.x) operational RightScript to satisfy the prerequisites for the subsequent join/leave scripts. Wait for the script to be completed.
    • Run the SYS Join AD domain (v14.x) operational RightScript. Once the script is completed, check the server's tags to verify that it properly joined the correct AD domain.
Input Name Description Example Value
AD_ADMIN_ACCOUNT

This is a login for account with administrative right in Active Directory. Example: Administrator.  

(Note: "Administrator" will be used as a default value for the AD_ADMIN_ACCOUNT input if it's unset at launch time. However, the input must match the value specified for the ADMIN_ACCOUNT_NAME input that was set for the AD servers.) ​

text: Administrator
AD_ADMIN_PASSWORD Specify the new password for the 'administrator' user specified by the AD_ADMIN_ACCOUNT input. It's strongly recommended that you use a credential to hide this value. cred: AD_ADMIN_PASSWORD
AD_CONTROLLER_IP If the remote server is going to connect to the AD domain controller using an IP address, specify the IP address of the AD domain controller that the server will connect to. Make sure the IP address matches the selected interface. (AD_NETWORK_INTERFACE) text: 192.23.45.678
AD_DOMAIN_NAME If the remote server is going to connect to the AD domain controller using a FQDN, specify the FQDN that points to the primary Active Directory controller that the server will join. 

text: ad-primary.example.com

AD_NETWORK_INTERFACE

The interface used for domain communication.

  • private
  • public
text: public

Install Active Directory Federation Services (ADFS)

Run the AD DS Install ADFS operational script to install Active Directory Federation Services (adds appropriate Windows OS feature). No input values are required.

Terminate the Server

If you want to terminate the primary domain controller, you may want to promote the additional domain controller (if available) to become the new primary domain controller before terminating the current primary domain controller. See FAILOVER - Transfer or Seize FSMO roles

You should also consider taking a final backup before terminating the server.

If you are absolutely positive that you no longer need the primary domain controller, it is safe to terminate the server.

Install RightScale Powershell Library

Installs the RightScale Powershell Library, which is a prerequisite before you can run the 'SYS Setup firewall rule' and 'SYS Dump firewall rules' operational scripts.

Join or Leave Active Directory Domain Controller

To connect a remote server to a domain controller that was launched in a cloud using the Microsoft Active Directory ServerTemplate, you must first configure the domain controller to accept ingress communication from the remote server. See the Create a Windows firewall permission steps.

By default, remote servers will connect to the domain controller using tags. However, you may need to connect servers where tags are not available or supported. For example, perhaps the remote server is located in a different cloud/region where it does not have access to the domain controller on the private network or the tag scope of the deployment that contains the domain controller is not set to be account-wide and the remote server is located in a different deployment than the domain controller. In such cases, you can either connect to the primary AD server using an IP address or FQDN.

  1. Make sure the domain controller is configured to accept requests from the remote server. You may need to update the domain controller's firewall permissions accordingly.
  2. If you used a ServerTemplate to launch the remote server, run the following RightScripts as 'Any Scripts' on the running server. If you anticipate performing this action more than once, you may want to edit the ServerTemplate and add these RightScripts to the Operational Scripts list.
    • Execute the SYS Install RightScale Powershell library (v14.x) operational RightScript to satisfy the prerequisites for the subsequent join/leave scripts. Wait for the script to be completed.
    • Run the SYS Join AD domain (v14.x) operational RightScript. Once the script is completed, check the server's tags to verify that it properly joined the correct AD domain.
Input Name Description Example Value
AD_ADMIN_ACCOUNT

This is a login for account with administrative right in Active Directory. Example: Administrator.  

(Note: "Administrator" will be used as a default value for the AD_ADMIN_ACCOUNT input if it's unset at launch time. However, the input must match the value specified for the ADMIN_ACCOUNT_NAME input that was set for the AD servers.) ​

text: Administrator
AD_ADMIN_PASSWORD Specify the new password for the 'administrator' user specified by the AD_ADMIN_ACCOUNT input. It's strongly recommended that you use a credential to hide this value. cred: AD_ADMIN_PASSWORD
AD_CONTROLLER_IP If the remote server is going to connect to the AD domain controller using an IP address, specify the IP address of the AD domain controller that the server will connect to. Make sure the IP address matches the selected interface. (AD_NETWORK_INTERFACE) text: 192.23.45.678
AD_DOMAIN_NAME If the remote server is going to connect to the AD domain controller using a FQDN, specify the FQDN that points to the primary Active Directory controller that the server will join. 

text: ad-primary.example.com

AD_NETWORK_INTERFACE

The interface used for domain communication.

  • private
  • public
text: public

Enable or Disable Windows Firewall

Run the 'SYS Enable Windows Firewall' and 'SYS Disable Windows Firewall' operational scripts to enable or disable Windows firewall settings. Add the script to the "Boot Scripts" list to enable Windows Firewall by default at boot time when a new instance is launched.

Add or Remove Firewall Rule

Run the 'SYS Setup firewall rule' script to creates or remove firewall rule based on the following inputs.

Input Name Description Example Values

FIREWALL_RULE_ACTION

Specify whether you want to enable or disable network access by either creating or removing a firewall rule. 

  • Enable
  • Disable
text: Enable
FIREWALL_RULE_PORT

Number of port or comma-separated list of ports. Each port should be integer value in range 1..65535. Ex: 80

text: 80
FIREWALL_RULE_REMOTE_IP

Specify the IP address or range of IP addresses in CIDR notation with optional inversion flag. This parameter could be of one of the formats below:

  • Individual IP address in dot-decimal notation, ex: 10.10.1.32
  • IP address followed by a slash and decimal number of leading bits in subnet mask. Ex: 92.16.2.0/24
  • IP address followed by a slash and subnet mask in 4-dots decimal format. 92.16.2.0/255.255.255.0
  • Any of the format above with preceding exclamation mark so the whole thing represents inverted set of IP addresses (i.e. all IPs except specified by IP address or range). Ex: !92.16.2.0/24
  • 'Any' keyword, case insensitive.
text: 192.16.2.0/24
FIREWALL_RULE_PROTOCOL

The protocol for the firewall rule. Supported protocols are TCP and UDP.

  • tcp
  • udp
  • both
text: tcp

List all Firewall Rules

Run the 'SYS Dump firewall rules' script to display a list of all firewall rules or only rules created by RightScripts (those which have 'RightScale' prefix in the name). This behavior is controlled by FIREWALL_RULE_DISPLAY_ALL input. If displaying only RightScale rules is selected the script also collects list of all IP addresses that are granted network access to the current instance to simplify a network security audit.

Input Name Description Example Values

FIREWALL_RULE_DISPLAY_ALL

Specify whether you want to display a list of all firewall rules or only the rules created by RightScripts (those which have 'RightScale' prefix in the name).

  • True
  • False (default)
text: True

Configure the Windows Updates Policy

By default, no Windows updates are applied to a running server. However, you can set the following input and run the 'SYS Set Windows Automatic Updates Policy' operational script to define how Windows automatic updates should be applied to an operational Windows server.

Input Name Description Example Values
WINDOWS_AUTOMATIC_UPDATES_POLICY

Define the Windows automatic updates policy. Default is no auto updates.

  • Disable automatic updates
  • Install updates automatically
  • Notify before download
  • Notify before installation
text: Install updates automatically

Configure the Windows Reboot Policy

Some Windows updates require a server to be rebooted in order to complete the installation process. However, you might want to reboot the instance at a more convenient time in order to reduce the amount of site downtime or negative impact to your end users. In such cases, you can set the following input before running either the 'SYS Install All Windows Updates' or 'SYS Install Microsoft update by KB number' operational script to specify whether or not an instance is allowed to reboot after the script is run. Reboot is not allowed by default.

Input Name Description Example Values
WINDOWS_UPDATES_REBOOT_SETTING

Defines whether or not the instance is rebooted after installing a Windows update. 

  • Do Not Allow Reboot
  • Allow Reboot
text: Allow Reboot

Install Windows Updates

Run the 'SYS Install All Windows Updates' operational script to download and install all new Windows updates. Any updates that require a user to accept a EULA are NOT installed. Use the WINDOWS_UPDATES_REBOOT_SETTING input to control whether or not the instance is rebooted after the updates are installed, if required.

Input Name Description Example Values
WINDOWS_UPDATES_REBOOT_SETTING

Defines whether or not the instance is rebooted after installing a Windows update. 

  • Do Not Allow Reboot
  • Allow Reboot
text: Allow Reboot

Install Microsoft Knowledge Base (KB) Article Updates

Set the following input and run the 'SYS Install Microsoft update by KB number' operational script to install a specific KB update.

To apply the KB updates to the running server at boot time, add the script to the end of the "Boot Scripts" list.

Input Name Description Example Values
KB_ARTICLE_NUMBER

Microsoft KB number of update to be installed. Use format KBxxxxxx (x is digit) or just xxxxxx to specify the number. You can either specify a single KB article number or a comma-separated list.

text: 961402
WINDOWS_UPDATES_REBOOT_SETTING

Defines whether or not the instance is rebooted after installing a Windows update. 

  • Do Not Allow Reboot
  • Allow Reboot
text: Allow Reboot

Register with a Windows KMS Server

Set the following inputs and run the 'SYS Activate Windows with KMS server' operational script to activate the instance's license with a Microsoft Key Management Server (KMS). Before you run the script, make sure that the KMS server's firewall settings are configured to accept a request from the instance. 

Input Name Description Example Values
KMS_HOST

Specify the FQDN or IP address of the KMS server with whom the instance will activate its license e.g., kms.mydomain.com

text: kms.example.com

text: 10.567.333.45

KMS_PORT The port number that the instance will use to connect to the KMS server. Default value is 1688 e.g., 1688 text: 1688
You must to post a comment.
Last modified
15:11, 20 May 2014

Tags

Classifications

This page has no classifications.

Announcements

None


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.