|Table of Contents|
Long Term Support
Stable, tested ServerTemplate assets
Launch a Windows Active Directory (AD) primary domain controller and associated additional domain controllers in the cloud.
Note: Currently, this ServerTemplate only supports the following clouds: AWS EC2, Windows Azure, and Rackspace Open Cloud. (Note: Rackspace Performance Cloud Servers are not supported.)
The following are prequisites for completing this tutorial:
In this tutorial, the "primary domain controller" denotes the Windows domain controller with operations master roles (also known as flexible single master operations or FSMO roles) assigned. As described in the Microsoft documentation, when the first domain controller in a domain is installed, the installation assigns it all "operations master" roles.
To learn more about the technical details of the ServerTemplate, see Microsoft Active Directory (v13.5_LTS).
It's recommended that you create the following credentials before you start configuring the server. For more information on setting up credentials, see Create a New Credential.
If you are setting up a DNS record for the Active Directory server, create credentials for the login information that's required to update a record with your DNS provider.
* If you use Amazon Route 53 as your DNS provider, you do not need to set up separate DNS user name and password credentials because your AWS credentials are used for authentication purposes.
Required for clouds that support security groups. (e.g. AWS EC2)
Set up an EC2 security group (in the region where you are going to launch the Active Directory server) with the following permissions. See Create a New EC2 Security Group. For an example, see this screenshot.
Open the ports below to any IP.
Use the add 'group' functionality to open the ports below within the same group so that any instance launched with the same security group can communicate across the specified ports using the private IP addresses.
When you add a server to the deployment in the next step, be sure to select this security group.
Follow these steps to add a Microsoft Active Directory server to the deployment.
The next step is to define the properties of your server by entering values for inputs. As a best practice, you should define required inputs for the servers at the deployment level. For a detailed explanation of how inputs are defined and used in Chef recipes and RightScripts, see Inputs and their Hierarchy.
To configure inputs for the scripts that will run on your server, open the deployment's Inputs tab, click Edit, and use the following settings to configure input values. It's recommended that you set up credentials for password values and any other sensitive data as shown in the examples.
|Input Name||Description||Example Value|
A string that is used to track all Active Directory backups in a certain 'set', usually deployment wide. If the server is locked, then you will not be able to take a backup.
|BACKUP_VOLUME_SIZE||Used to specify the size in GB of the Active Directory backup volume.||text: 20|
Used to specify the size in GB of volumes for the Active Directory database and logs.
|Input Name||Description||Example Value|
Set the new password for the local Administrator account on the domain controller. The password must satisfy Window's minimum requirements for a Windows administrator password, otherwise the random password that is generated for you at boot time (located under the server's Info tab,'Initial Admin Password' field) will be used instead. The password should be at least 7 characters long with at least one upper case letter, one lower case letter and one digit.
When you RDP into the server, you will use this password to log in as the Windows 'Administrator' user.
It's strongly recommended that you use a credential to hide this value. However, anyone who needs to log into the server will need to know the actual value.
Note: Once the server is operational, you can use the AD Change Administrator password operational script to change the value.
|AD_ADMIN_ACCOUNT||Used only if setting up an additional (non-primary) domain controller, this is the Windows domain user account used to install Active Directory Domain Services. This account must have Active Directory administrator permissions. This input is also used for transferring FSMO roles as well.||text: administrator|
|AD_ADMIN_PASSWORD||The password for the 'administrator' user specified by the AD_ADMIN_ACCOUNT input. It's strongly recommended that you use a credential to hide this value.||cred: AD_ADMIN_PASSWORD|
|AD_DOMAIN_CONTROLLER||For your first installation, choose "Primary" to install a primary domain controller to which operations master roles are assigned.||text: Primary|
Specify the functional level for the domain: either 2 for Windows 2003, 3 for Windows 2008 SP2 x64, or 4 for Windows 2008 x64 R2.
|AD_FOREST_LEVEL||Specify the functional level for the forest: either 2 for Windows 2003, 3 for Windows 2008 SP2 x64, or 4 for Windows 2008 x64 R2.||text: 3|
The existing Active Directory site for the new domain controller.
Note: We recommend using a static, non-variable site name across all domain controllers. Otherwise, you may receive errors when launching additional domain controllers, if the servers' AD_SITE_NAME inputs reference non-identical values (e.g. "SiteA" and "SiteB").
The fully qualified domain name (FQDN) for the new domain. (e.g. my-ad.example.com) If you are not using DNS records for the domain controller, you can enter a simple text string intead. (e.g. mycompany.local)
Note: An IP address is not a supported string.
|NETBIOS_DOMAIN_NAME||NetBIOS name for the new domain; limit to 15 characters or fewer.||text: rightscale|
|SAFE_MODE_PASSWORD||Password for the administrator account when the domain controller is started in Safe Mode or a related variant such as Directory Services Restore Mode (DSRM).||cred: SAFE_MODE_PASSWORD|
Sets the system timezone to the timezone specified, which must be a valid Windows timezone entry. You can find a list of valid examples in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones". Some examples have been provided in the dropdown, which you may override if you do not see your timezone listed.
It's strongly recommended that you use, "GMT Standard Time" (Greenwich Mean Time).
|text: GMT Standard Time|
Once all of the inputs are configured, you are ready to launch the server.
Once you have an operational server you may want to launch an additional domain server, create a backup, enable continuous backups, or connect a remote server. For complete documentation about all the common operational tasks related to this server, please see the Microsoft Active Directory (v13.5_LTS) - Runbook.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.