Join an AWS EC2 instance to an existing domain via Amazon Virtual Private Cloud VPN

I have a project group that wants to set up some temporary compute instances on AWS. Easy enough.  The trick is they want the instances to be connected to our domain so users can authenticate normally and there is no differentiation in their experience when using these systems.  I've never joined a machine to the domain through a VPN connection, but I know it's possible

We've set up a VPC with a 10.x.x.x/24 CIDR block, traffic can pass through and I can remote to the instances I've created there.  When I attempt to join the domain, it errors out, stating it cannot contact the AD DC.  I've checked firewall settings, had ITSEC check out the VPN and can't find the problem.  Can anyone help?
BighoppaAsked:
Who is Participating?
 
smckeown777Connect With a Mentor Commented:
Going to ask the stupid question first...on the AWS instances have you set the DNS entries to point to your AD server? Should have a single primary DNS entry and remove the secondary one and see if that works...

Since you have connectivity normally when you can't join a domain its a dns related issue
0
 
BighoppaAuthor Commented:
Yeah, DNS is set in the VPC options to our name servers, and I also hard-coded them into the VMs for good measure.  Can't get any traffic from them to the DNS.  Going to work with the security team and have them check the firewall rules again.
0
 
Aaron TomoskyConnect With a Mentor SD-WAN SimplifiedCommented:
I just did this with a rackspace vm using the sonicwall global vpn client. No problem, so it is possible.

BTW once you have it up, you probably want to mess with the weight and priority
http://technet.microsoft.com/en-us/library/cc816890(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794710(WS.10).aspx
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
BighoppaAuthor Commented:
Finally got it working.  Looks like one of the firewall guys fat-fingered the port rules.  Got them corrected last night and joined the VM to our domain this morning.
0
 
Aaron TomoskyConnect With a Mentor SD-WAN SimplifiedCommented:
Good to hear. Don't forget to uncheck "register this connection in DNS" for all the non VPN nics. Ip4 and ipv6
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
one last thing, this was new to me, might be old hat to you:
server manager -> tools -> active directory sites and services
add a site for your remote stuff seperate from default-first-site and make subnets for all the sites. I called my remote site "vpn" and assigned it a /32 network (one ip) for the vpn box. this keeps it out of the rotation better than turning down the weight and priority (but I left those settings set as well).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.