Creating a Windows Domain in the Cloud

I recently had to create a Windows Domain in the Cloud, hosted by Amazon Web Services. It posed a particular set of issues.

We created a Windows Server 2003 domain controller instance, and installed DNS on it as well. We assigned the domain controller an elastic IP, so that its public IP address and name would not change (more on this later).

For each server instance wanting to join the domain:

  • we disabled the AWS “auto-naming” setting in AWS configuration
  • we set its primary name server to be the domain controller, using the DC’s public elastic IP address
  • we could then join the domain successfully

But there were drawbacks to this approach:

  1. We didn’t want to use the public (permanent) IP address of the domain controller – it meant we had to have crazily loose security group settings, and the Amazon bills were higher
  2. Because we had overriden the primary name server for each of the server instances, they could no longer resolve Amazon public instance names to private IP addresses. In order to work this “magic” you need to be able to find Amazon’s own DNS

We solved problem 2 by using DNS forwarding on the domain controller – forwarding to Amazon’s own name server. This meant that, for example, the public name of our domain controller resolved to a private IP address.

We solved problem 1 by using the private IP address of the domain controller as the name server for the server instances in the domain.

But what if the DC fails? Doesn’t it get a new private IP address when we recreate it? Won’t we then have to change this setting for all the servers?

Our solution was to add the Amazon DNS server as the secondary name server for each of the server instances. We then wrote a Windows Service that did the following:

  • performed a lookup of the public name of the DC
  • if the private IP address returned was different to that of the primary name server, updated the entry for the primary name server

Our reasoning was: if the DC fails and has to be recreated, the lookup will still succeed using the secondary (Amazon’s) name server.

Phew.

Leave a Reply

Your email address will not be published. Required fields are marked *