Note: Please go to to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > ServerTemplates > v13.5 LTS > ST > Microsoft Active Directory (v13.5 LTS) > Microsoft Active Directory (v13.5 LTS) - Tutorial

Microsoft Active Directory (v13.5 LTS) - Tutorial

Table of Contents    


Long Term Support

Stable, tested ServerTemplate assets

   ►  Tutorial


Launch a Windows Active Directory (AD) primary domain controller and associated additional domain controllers in the cloud.

Note: Currently, this ServerTemplate only supports the following clouds: AWS EC2, Windows Azure, and Rackspace Open Cloud. (Note: Rackspace Performance Cloud Servers are not supported.)


The following are prequisites for completing this tutorial:

  • Required user roles: actor, library
  • Either valid AWS credentials or Windows Azure credentials associated with the RightScale account


In this tutorial, the "primary domain controller" denotes the Windows domain controller with operations master roles (also known as flexible single master operations or FSMO roles) assigned. As described in the Microsoft documentation, when the first domain controller in a domain is installed, the installation assigns it all "operations master" roles.

To learn more about the technical details of the ServerTemplate, see Microsoft Active Directory (v13.5_LTS).

Create Credentials

It's recommended that you create the following credentials before you start configuring the server. For more information on setting up credentials, see Create a New Credential.

  • WINDOWS_ADMIN_PASSWORD - Password for the local Windows administrator account on a domain controller.
  • DOMAIN_ADMIN_PASSWORD - Password for the Windows domain user account used to install Active Directory Domain Services.
  • SAFE_MODE_PASSWORD - Password for the administrator account when the domain controller is started in Safe Mode or a related variant such as Directory Services Restore Mode (DSRM).
  • AD_ADMIN_PASSWORD - Password for the user with Active Directory 'administrator' privileges (AD_ADMIN_ACCOUNT) that's used to install Active Directory Domain Services. User must have Active Directory privileges. 

If you are setting up a DNS record for the Active Directory server, create credentials for the login information that's required to update a record with your DNS provider.

  • DNS_USER* - Username that's used to log into your DNS provider and access your DNS records.
  • DNS_PASSWORD* - Password for DNS_USER.

* If you use Amazon Route 53 as your DNS provider, you do not need to set up separate DNS user name and password credentials because your AWS credentials are used for authentication purposes. 


Create a Security Group

Required for clouds that support security groups. (e.g. AWS EC2)

Set up an EC2 security group (in the region where you are going to launch the Active Directory server) with the following permissions. See Create a New EC2 Security Group. For an example, see this screenshot.

Open the ports below to any IP.

  • TCP:3389  (Required for RDP access)
  • TCP:80  (Required for HTTP access. If you are going to create a DNS record that points to the Active Directory server, open TCP port 80.)
  • TCP:443  (Required for HTTPS access.)

Use the add 'group' functionality to open the ports below within the same group so that any instance launched with the same security group can communicate across the specified ports using the private IP addresses.

  • TCP - 53, 88, 135, 137, 139, 389, 445, 636, 3268, 3269, and 1024-65535
  • UDP - 53, 88, 135, 137, 138, 389, and 445


When you add a server to the deployment in the next step, be sure to select this security group.

Add a Server

Follow these steps to add a Microsoft Active Directory server to the deployment.

  1. Go to the MultiCloud Marketplace (Design > MultiCloud Marketplace > ServerTemplates) and import the most recently published revision of the Microsoft Active Directory ServerTemplate into the RightScale account.
  2. From the imported ServerTemplate's show page, click the Add Server button.
  3. Select the cloud for which you will configure a server. 
  4. Select the deployment into which the new server will be placed.
  5. Next, the Add Server Assistant wizard will walk you through the remaining steps that are required to create a server based on the selected cloud.
    • Server Name - Provide a nickname for your new load balancer server (e.g. Windows AD). 
    • Select the appropriate cloud-specific resources that are required in order to launch a server into the chosen cloud. The required cloud resources may differ depending on the type of cloud infrastructure. If the cloud supports multiple datacenters / zones, select a specific zone. Later, when you create the other load balancer server you will use a different datacenter / zone to ensure high-availability. For more information, see Add Server Assistant.
  6. Click Confirm, review the server's configuration and click Finish to create the server.

Configure Inputs

The next step is to define the properties of your server by entering values for inputs. As a best practice, you should define required inputs for the servers at the deployment level. For a detailed explanation of how inputs are defined and used in Chef recipes and RightScripts, see Inputs and their Hierarchy.

To configure inputs for the scripts that will run on your server, open the deployment's Inputs tab, click Edit, and use the following settings to configure input values. It's recommended that you set up credentials for password values and any other sensitive data as shown in the examples.


Input Name Description Example Value

A string that is used to track all Active Directory backups in a certain 'set', usually deployment wide. If the server is locked, then you will not be able to take a backup. 

text: mylineagename

BACKUP_VOLUME_SIZE Used to specify the size in GB of the Active Directory backup volume.  text: 20

Used to specify the size in GB of volumes for the Active Directory database and logs.

text: 10


Input Name Description Example Value

Set the new password for the local Administrator account on the domain controller. The password must satisfy Window's minimum requirements for a Windows administrator password, otherwise the random password that is generated for you at boot time (located under the server's Info tab,'Initial Admin Password' field) will be used instead. The password should be at least 7 characters long with at least one upper case letter, one lower case letter and one digit. 

When you RDP into the server, you will use this password to log in as the Windows 'Administrator' user.

It's strongly recommended that you use a credential to hide this value. However, anyone who needs to log into the server will need to know the actual value.

Note: Once the server is operational, you can use the AD Change Administrator password operational script to change the value.


AD_ADMIN_ACCOUNT Used only if setting up an additional (non-primary) domain controller, this is the Windows domain user account used to install Active Directory Domain Services. This account must have Active Directory administrator permissions. This input is also used for transferring FSMO roles as well. text: administrator
AD_ADMIN_PASSWORD The password for the 'administrator' user specified by the AD_ADMIN_ACCOUNT input. It's strongly recommended that you use a credential to hide this value. cred: AD_ADMIN_PASSWORD
AD_DOMAIN_CONTROLLER For your first installation, choose "Primary" to install a primary domain controller to which operations master roles are assigned. text: Primary

Specify the functional level for the domain: either 2 for Windows 2003, 3 for Windows 2008 SP2 x64, or 4 for Windows 2008 x64 R2.

text: 3
AD_FOREST_LEVEL Specify the functional level for the forest: either 2 for Windows 2003, 3 for Windows 2008 SP2 x64, or 4 for Windows 2008 x64 R2. text: 3

The existing Active Directory site for the new domain controller.

Note: We recommend using a static, non-variable site name across all domain controllers. Otherwise, you may receive errors when launching additional domain controllers, if the servers'  AD_SITE_NAME inputs reference non-identical values (e.g. "SiteA" and "SiteB").

text: Site

The fully qualified domain name (FQDN) for the new domain. (e.g. If you are not using DNS records for the domain controller, you can enter a simple text string intead. (e.g. mycompany.local)

Note: An IP address is not a supported string.

text: rightscale.local


NETBIOS_DOMAIN_NAME NetBIOS name for the new domain; limit to 15 characters or fewer. text: rightscale
SAFE_MODE_PASSWORD Password for the administrator account when the domain controller is started in Safe Mode or a related variant such as Directory Services Restore Mode (DSRM). cred: SAFE_MODE_PASSWORD


Sets the system timezone to the timezone specified, which must be a valid Windows timezone entry. You can find a list of valid examples in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones". Some examples have been provided in the dropdown, which you may override if you do not see your timezone listed.

It's strongly recommended that you use, "GMT Standard Time" (Greenwich Mean Time).

text: GMT Standard Time


Click Save.

Launch the Server

Once all of the inputs are configured, you are ready to launch the server.

  1. Go to the deployment's Servers tab and launch the server. When you view the input confirmation page, there should not be any required inputs with missing values. If there are any required inputs that are missing values (highlighted in red), cancel the launch and add the missing values at the deployment level before launching the server again. Refer to the instructions in Launch a Server if you are not familiar with this process. Because there are no required inputs that are missing values for any boot scripts, you can click the Launch button at the bottom of the input confirmation page. 

    Because the AD Create a Directory Controller boot script requests a server restart (reboot), the domain controller server will temporarily enter the "decommissioning" state before it becomes "operational." Refer to the Audit Entries tab for details. (See screenshot.) 


Post Tutorial Steps

Once you have an operational server you may want to launch an additional domain server, create a backup, enable continuous backups, or connect a remote server. For complete documentation about all the common operational tasks related to this server, please see the Microsoft Active Directory (v13.5_LTS) - Runbook.

You must to post a comment.
Last modified
10:49, 9 Dec 2013



This page has no classifications.



© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.