Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > ServerTemplates > v13.5 LTS > ST > Microsoft Active Directory (v13.5 LTS) > Microsoft Active Directory (v13.5 LTS) - Runbook

Microsoft Active Directory (v13.5 LTS) - Runbook

 

Table of Contents    

 

Long Term Support

Stable, tested ServerTemplate assets

   ►  Runbook

Common Operational Tasks

Add Additional Domain Controllers

Important! To ensure successful replication between domain controllers, you must launch an additional domain controller in the same deployment, cloud, and region (when applicable).

  1. Clone the "primary" domain controller server and name the new server accordingly. (e.g. AD Additional) 
  2. (If you're using AWS) Under the Info tab of the additional server, change the availability zone.
  3. Under the server's Inputs tab, set the following inputs. Typically, you will only want to change the AD_DOMAIN_CONTROLLER input and set the PDC_DNS_IP input. The other inputs should probably be inherited from the deployment level and match the inputs set for the primary server.
Input Name Description Example Value
AD_ADMIN_ACCOUNT

Set to an account with Active Directory administrator permissions.

text: administrator

DOMAIN_ADMIN_PASSWORD Set to the password of the Active Directory administrator account in AD_ADMIN_ACCOUNT cred: AD_ADMIN_PASSWORD
AD_DOMAIN_CONTROLLER Set to "Additional" to create a non-operations-master domain controller. text: Additional
PDC_DNS_IP

Set to the public/private IP address of the primary domain controller in the forest. The additional domain controller will use the IP address to locate the "primary" server. If allowed by the networking and firewall permissions, it's recommended that you use the private IP. You can either enter the IP address as text (text: 10.2.3.4) or use the environment variable option. (e.g. env: MyPrimary:PRIVATE_IP)

Important! If the additional domain controller is going to connect to the primary domain controller, you must make sure that it has access to communicate with the primary domain controller using its private IP address.

text: 10.2.3.4

 

  1. Launch the additional server.

ENABLE CONTINUOUS BACKUPS - Establish a Backup Schedule

Default: Weekly backups

As covered in the Microsoft documentation (including the Microsoft TechNet article Backing Up Active Directory Domain Services), you should schedule regular Active Directory backups to support dependable operations. The Microsoft Active Directory ServerTemplate includes an operational script for this: SYS Install AD backup policy. This script creates a Windows scheduled task to run periodic system state backups.

Assuming that your cloud supports volume storage, backups are initially saved as volume snapshots. (See About Elastic Block Store (EBS) for more information about how volume snapshots are stored and referenced.) 

After setting up domain controllers, we recommend running SYS Install AD backup policy to create a scheduled backup task on one or more of your servers. The SYS Install AD backup policy operational script references another operational script, AD Create system state backup, which, in turn, creates a system state backup of the server using the inputs listed in the next table. For security reasons, the script creates a new Windows domain account—AdBackup—with a randomly generated password, under which the scheduled task runs.

By default, the scheduled task will run once per week, every Sunday at 3:00 AM. However, you can customize this schedule to meet your needs, using the "SCHEDULE" RightScript inputs listed in the table below. Microsoft recommends that you schedule daily backups on at least two unique domain controllers in your configuration. All user inputs listed in the following table are optional; the script-defined default values applied when these inputs are left unset are listed in the "Description" column. 

BACKUP

Input Name Description Example Value
 AD_LINEAGE_NAME

The lineage name used for all backup snapshots. (Default is AD_BACKUP.) You must reference this lineage value when restoring a server backup via the AD Restore from backup script.

text: ProjectName

SCHEDULE_BACKUP_FREQUENCY Indicates the frequency with which the scheduled backup task will execute: value values are "DAILY," "WEEKLY," or "MONTHLY." (Default is "WEEKLY.") text: WEEKLY
SCHEDULE_BACKUP_TIME Indicates the time of day when the scheduled task will run, in 24-hour-clock hh:mm format. (Default is 3:00 AM.) text: 03:00
DB_BACKUP_KEEP_LAST Indicates the minimum quantity of chronologically recent backups to keep for the lineage. (Default is 20.) text: 60
SCHEDULE_BACKUP_DAY Used when SCHEDULE_BACKUP_FREQUENCY is "WEEKLY" to indicate the day of the week when the scheduled task will run. (Default is Sunday.) text: SUN
SCHEDULE_MONTHLY_DAY Used only when SCHEDULE_BACKUP_FREQUENCY is "MONTHLY," to indicate the day of the month when the scheduled task will run. (Default is 1—first day of month.) text: 2

 

Note: If you need to modify your scheduled backup task after running the AD Create system state backup script, you must log into your domain controller via RDC and edit it there. Running this script with different inputs does not update the existing scheduled task but, rather, creates an additional, new scheduled task.

Create a new user

Once the server is operational, run the AD Create a new user operational script with appropriate values for the following inputs.

The created user will NOT have 'administrator' privileges. The user will only be a member of the Domain Users group (FQDN_DOMAIN_NAME). Once a user is created you can adjust their permission accordingly in an RDP session.

Input Name Description Example Value
 AD_USER_FIRST_NAME

The first name of the new user. (e.g. John)

text: John

AD_USER_LAST_NAME The last name of a new user. (e.g. Smith) text: Smith
AD_USER_LOGIN The username of the new user. (e.g. jsmith) text: jsmith
AD_USER_PASSWORD

The password for the new user. 

The password must satisfy Window's minimum requirements for a Windows administrator password, otherwise the random password that is generated for you at boot time (located under the server's Info tab,'Initial Admin Password' field) will be used instead. The password should be at least 7 characters long with at least one upper case letter, one lower case letter and one digit.

Use a credential to hide this value from being displayed as text in the audit entry.

cred: JOHN_SMITH_PASSWORD

Create a new distribution group

A distribution group is created at boot time when the server is launched. However, if you want to create a new distribution group, run the AD Create a new group operational script with appropriate values for the following inputs.

Input Name Description Example Value
GROUP_DESCRIPTION

The description of the new group. (e.g. John)

text: Custom

GROUP_NAME The name of the new group. (e.g. Team A) text: Team A
GROUP_SCOPE

Defines the group's scope.

  • DomainLocal
  • Global
  • Universal
text: Universal
GROUP_TYPE

Defines the group's type.

  • Distribution - Use to send email to collections of users. It's not security-enabled, so they cannot be listed in discretionary access control lists (DACLs). 
  • Security - Use to set a permission for the object in Active Directory. Use to assign access permissions to shared resources on your network.
text: Security

Create a backup

To manually take a backup of the current state of the Active Directory database, run the AD Create system state backup operational script with appropriate values for the following inputs.

Input Name Description Example Value
AD_LINEAGE_NAME

The Active Directory's lineage name is used to tag the volume snapshots appropriately for identification purposes. (e.g. rs_backup:lineage=ProjectName) Later when you restore the database on a new server, you will specify the lineage name so that the appropriate backup can be properly selected. (e.g. ProjectName)

text: ProjectName

AWS_ACCESS_KEY_ID Valid AWS credentials are required in order to create a volume snapshot. You should have already set this input prior to launching the server. cred: AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY Valid AWS credentials are required in order to create a volume snapshot. You should have already set this input prior to launching the server. cred: AWS_SECRET_ACCESS_KEY
BACKUP_VOLUME_SIZE The size of the backup volume in gigabytes. You should have already set this input prior to launching the server. (e.g. 20) text: 20
DB_BACKUP_KEEP_LAST

The total number of volume snapshot backups to keep as defined by the backup policy. (e.g. 60)

text: 60

DISASTER RECOVERY - Restore from a backup

You can only use the restore script highlighted below if you have at least one completed backup snapshot of the Active Directory's data store that was created by running the AD Create system state backup script.

  1. Before you launch the new server that will become your new primary domain controller, go to the "next" server's Scripts tab and disable the AD Create a Directory Controller operational script (by unchecking it) because instead of building a new Active Directory from scratch, you're going to rebuild it using an existing backup.
  2. Launch the server.
  3. Before you can run the restore script, you must first run the SYS change to safe boot mode operational script to change the boot mode of the operating system from "normal" to "directory services restore mode" (DSRM). A server must be in the DSRM mode in order to restore active directory from a previous backup.
  4. To manually restore the Active Directory database from a previous backup, run the AD Restore from backup operational script with appropriate values for the following inputs.
Input Name Description Example Value
AD_LINEAGE_NAME

The Active Directory's lineage name is used to identify the correct backup snapshot to use for a restoration. The script will select the backup snapshot by using its tag (e.g. rs_backup:lineage=ProjectName) for identification purposes. (e.g. MyProjectName)

text: ProjectName

AD_RESTORE_TIMESTAMP If left undefined, the most recently completed backup snapshot will be used by default. To use a specific backup, specify the timestamp of the desired backup snapshot, which is denoted by the 'timestamp' tag. For example, if the snapshot has the following tag, 'rs_backup:timestamp=1358980379' you would specify '1358980379' for this input. text: 1358980379
AWS_ACCESS_KEY_ID Valid AWS credentials are required in order to create a volume snapshot. You should have already set this input prior to launching the server. cred: AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY Valid AWS credentials are required in order to create a volume snapshot. You should have already set this input prior to launching the server. cred: AWS_SECRET_ACCESS_KEY
BACKUP_VOLUME_SIZE The size of the backup volume in gigabytes. You should have already set this input prior to launching the server. (e.g. 20) text: 20
VOLUME_SIZE

Specify the size of the volumes (in gigabytes) for the Active Directory data and log files.  (e.g. 10)

text: 10

 

  1. Wait for AD Restore from backups script to be completed. Check the server's audit entry to track status.
  2. On AWS EC2 and Azure, use a Remote Desktop Connection to log into your domain controller under the 'administrator' account and DSRM ("safe mode") password. (SAFE_MODE_PASSWORD)
  3. Execute the appropriate Powershell script located in C:\Windows\Temp\RightScale directory. See RightScale Powershell Library.
    • For AWS, run rs_post_ad_restore.ps1
    • For Azure, run rs_post_ad_restore_azure.ps1
  4. Reboot (not Relaunch) the server.
  5. Run the AD Rebuild domain shares operational script to rebuild your domain shares and make the domain controller functional.

Note: If you are using Rackspace Open Cloud, steps 6-8 do not apply and can be ignored because it has automation to perform these actions after a restore. RightScale is currently working on ways to automate a restore on other clouds.

 

FAILOVER - Transfer or Seize FSMO roles

By default, the primary domain controller has "operations master" (i.e. Flexible Single Master Operations (FSMO)) roles. If you have both a primary and an additional domain controller connected on the same network you can run the following script to transfer FSMO roles. 

  • Transfer FSMO roles from primary -  Run the AD Transfer FSMO roles operational script on the current primary domain controller instance with appropriate values for the following inputs. Important! The AD_TRANSFER input must be set to 'Transfer'.
  • Seize FMSO roles from primary - Run the AD Transfer FSMO roles operational script on the current primary domain controller instance with appropriate values for the following inputs. Important! The AD_TRANSFER input must be set to 'Seize'.

 

Input Name Description Example Value
AD_ADMIN_ACCOUNT

This is the Windows domain user account used to install Active Directory Domain Services. This account must have Active Directory administrator permissions. 

text: administrator

AD_ADMIN_PASSWORD The password for the 'administrator' user specified by the AD_ADMIN_ACCOUNT input. It's strongly recommended that you use a credential to hide this value. cred: AD_ADMIN_PASSWORD
AD_NEW_FSMO_HOLDER The FQDN name of the new domain controller. It is used for changing FSMO roles of active directory. Typically you would use the same value as the FQDN_DOMAIN_NAME input. text: rightscale.local
AD_SITE_NAME The name of the Active Directory site. text: Site
AD_TRANSFER

Select the desired transfer action.

  • Transfer - Select to transfer all FSMO roles from one domain controller to another.
  • Seize - Select to seize all FSMO roles.
text: Transfer
NETBIOS_DOMAIN_NAME

This is a netbios name for Active Directory. This value must be 15 characters or less. (e.g. RightScale)

text: RightScale

Create bulk set of new users

Use the AD Bulk create new user RightScript to create one or more new users in a bulk process, based on a comma-separated values (CSV) file. The CSV file attachment must be 100 MB or smaller. RightScript attachments larger than 100 MB are not supported. The CSV file should have the following four columns (i.e. fields per record):

  • First name
  • Last name
  • User name
  • Password


Example CSV format:

Anderson,John,j.anderson,Zxy34ig
Smith,Bob,bob.smith,Yhfnw2dss

 

Follow the steps below to add users.

  1. Since the CSV file must be uploaded to the server, you need to open a Remote Desktop connection and a upload file using the clipboard.
  2. If you are only going to perform this action once, it's easiest if you simply run the modified RightScript as an 'Any Script' on the running server. However, if you always want the same bulk set of users to be created at launch time, you will need to clone the ServerTemplate and add the modified script to the end of the boot script list, and launch a new server with the modified ServerTemplate.
  3. Execute the AD Bulk create new user operational script and make sure you have the correct value for the following input.

 

Input Name Description Example Value
CSV_FILE_PATH Specify the full path to the CSV file on local file system. text: C:\Windows\Temp\userlist.csv

Change the Administrator password

To change the password of the 'administrator' user defined by the AD_ADMIN_ACCOUNT input.

To transfer or seize FSMO roles, run the AD Change Administrator password operational script with appropriate values for the following inputs.

Input Name Description Example Value
AD_ADMIN_PASSWORD Specify the new password for the 'administrator' user specified by the AD_ADMIN_ACCOUNT input. It's strongly recommended that you use a credential to hide this value. cred: NEW_AD_ADMIN_PASSWORD

Change the boot mode of the OS

Use the operational scripts below to change the server's boot mode. No inputs are required.

  • SYS Change to safe boot mode - Change boot mode of OS from normal to directory services restore mode (DSRM). DSRM mode allows to restore active directory from a backup to a new instance.
  • SYS Change to normal boot mode - Used to change boot mode of OS from DSRM to normal.

Update a DNS record with an IP address

Update an existing DNS domain record with a public/private IP address (of the current instance). In order to connect a remote server to the primary Active Directory domain controller, 

IP address of existing domain record with specific IP address or private or public IP of the current instance.

To transfer or seize FSMO roles, run the AD Change Administrator password operational script with appropriate values for the following inputs.

Input Name Description Example Value
DNS_DOMAIN_NAME

If you are using a DNS service provider that references records by a FQDN instead of an string ID, use this input to specify the fully qualified domain name that points to the standalone or principal database server. (e.g. primary-ad.example.com)

Examples:

  • DynDNS:  primary-ad.example.com  (FQDN)
text: primary-ad.example.com 
DNS_ID

If you are using a DNS service provider that references records by a unique string ID, use this input to identify your standalone or principal database server to your DNS provider. 

Examples:

  • DNS Made Easy:  1234567  (Dynamic DNS ID)
  • Amazon Route53:  Z3DSDFSDFX (Hosted Zone ID)
text: 1234567
DNS_IP_ADDRESS

Specify whether to use the instance's private or public IP address to update the DNS record. 

  • Public IP
  • Private IP
text: Public IP
DNS_PASSWORD

The password used to log into your DNS provider. 

  • DNS Made Easy - DME Password
  • DynDNS - DynDNS Password
  • Amazon Route 53 - AWS Secret Access Key
cred: DNS_PASSWORD
DNS_SERVICE

Select the DNS provider that will be used to update the DNS record of the principal database server.

  • DNS Made Easy
  • DynDNS
  • Route53
text: 
DNS_TTL Specify the TTL of the DNS record that will be updated. (e.g. 60) text: 60
DNS_USER

The username used to log into your DNS provider. 

  • DNSMadeEasy - DME Username
  • DynDNS - DynDNS Username
  • Amazon Route 53 - AWS Access Key ID
cred: DNS_USERNAME

Create a Windows firewall permission

If you want a remote server to connect to the Windows domain controller, you must allow access at the networking level (if applicable) and on the local Windows firewall of the server. 

  1. If the domain controller is launched in a cloud that uses security groups (e.g. EC2) you must first update the instance's security group to allow ingress requests from the remote server's public IP address. Be sure to open the port on all required protocols (TCP, UDP). See Create a New EC2 Security Group. If the cloud does not support security groups, proceed to the next step. 
  2. Run the SYS AD open ports operational script with appropriate values for the following inputs to update the Windows firewall on the domain controller.
     
Input Name Description Example Value
REMOTE_DC_IP Enter the public IP address of the remote server that will be making requests to the domain controller. (e.g. 192.1.1.1) text: 192.1.1.1
TCP_PORTS Specify the TCP port number that will be open for the specified IP address (REMOTE_DC_IP). (e.g. 137) text: 137
UDP_PORTS Specify the UDP port number that will be open for the specified IP address (REMOTE_DC_IP). (e.g. 137) text: 137

 

Connect a remote server to the domain controller

To connect a remote server to a domain controller that was launched in a cloud using the Microsoft Active Directory ServerTemplate, you must first configure the domain controller to accept ingress communication from the remote server. See the Create a Windows firewall permission steps.

If you want the remote server to connect to the domain controller by using a FQDN, you must create a DNS record and either manually update the record with the domain controller's public IP address or follow the steps for Update a DNS record with an IP address. Of course, you can also have the remote server connect to the domain controller by using its public IP address.

Terminate the Server

If you want to terminate the primary domain controller, you may want to promote the additional domain controller (if available) to become the new primary domain controller before terminating the current primary domain controller. See FAILOVER - Transfer or Seize FSMO roles

You should also consider taking a final backup before terminating the server.

If you are absolutely positive that you no longer need the primary domain controller, it is safe to terminate the server.

 

Enable or Disable Windows Firewall

Use the 'SYS Enable Windows Firewall' and 'SYS Disable Windows Firewall' operational scripts to enable or disable Windows firewall settings. Add the script to the "Boot Scripts" list to enable Windows Firewall by default at boot time when a new instance is launched.

Configure the Windows Updates Policy

By default, no Windows updates are applied to a running server. However, you can set the following input and run the 'SYS Set Windows Automatic Updates Policy' operational script to define how Windows automatic updates should be applied to an operational Windows server.

Input Name Description Example Values
WINDOWS_AUTOMATIC_UPDATES_POLICY

Define the Windows automatic updates policy. Default is no auto updates.

  • Disable automatic updates
  • Install updates automatically
  • Notify before download
  • Notify before installation
text: Install updates automatically

Configure the Windows Reboot Policy

Some Windows updates require a server to be rebooted in order to complete the installation process. However, you might want to reboot the instance at a more convenient time in order to reduce the amount of site downtime or negative impact to your end users. In such cases, you can set the following input before running either the 'SYS Install All Windows Updates' or 'SYS Install Microsoft update by KB number' operational script to specify whether or not an instance is allowed to reboot after the script is run. Reboot is not allowed by default.

Input Name Description Example Values
WINDOWS_UPDATES_REBOOT_SETTING

Defines whether or not the instance is rebooted after installing a Windows update. 

  • Do Not Allow Reboot
  • Allow Reboot
text: Allow Reboot

Install Windows Updates

Run the 'SYS Install All Windows Updates' operational script to download and install all new Windows updates. Any updates that require a user to accept a EULA are NOT installed. Use the WINDOWS_UPDATES_REBOOT_SETTING input to control whether or not the instance is rebooted after the updates are installed, if required.

Input Name Description Example Values
WINDOWS_UPDATES_REBOOT_SETTING

Defines whether or not the instance is rebooted after installing a Windows update. 

  • Do Not Allow Reboot
  • Allow Reboot
text: Allow Reboot

Install Microsoft Knowledge Base (KB) Article Updates

Set the following input and run the 'SYS Install Microsoft update by KB number' operational script to install a specific KB update.

To apply the KB updates to the running server at boot time, add the script to the end of the "Boot Scripts" list.

Input Name Description Example Values
KB_ARTICLE_NUMBER

Microsoft KB number of update to be installed. Use format KBxxxxxx (x is digit) or just xxxxxx to specify the number. You can either specify a single KB article number or a comma-separated list.

text: 961402
WINDOWS_UPDATES_REBOOT_SETTING

Defines whether or not the instance is rebooted after installing a Windows update. 

  • Do Not Allow Reboot
  • Allow Reboot
text: Allow Reboot

Register with a Windows KMS Server

Set the following inputs and run the 'SYS Activate Windows with KMS server' operational script to activate the instance's license with a Microsoft Key Management Server (KMS). Before you run the script, make sure that the KMS server's firewall settings are configured to accept a request from the instance. 

Input Name Description Example Values
KMS_HOST

Specify the FQDN or IP address of the KMS server with whom the instance will activate its license e.g., kms.mydomain.com

text: kms.example.com

text: 10.567.333.45

KMS_PORT The port number that the instance will use to connect to the KMS server. Default value is 1688 e.g., 1688 text: 1688
You must to post a comment.
Last modified
13:48, 11 Sep 2013

Tags

Classifications

This page has no classifications.

Announcements

None


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.