Server Not Connecting To Domain After Reboot in EC2
I am using AWS Directory Service, specifically SimpleAD, for a new Active Directory Domain.
I've got four servers actively running and plan on putting in three more for a migration.
When I restart my running Windows EC2 instances and login it gives the feeling like it's not attached to the domain:
What's really weird is that for all intent and purpose it appears attached:
To resolve this, I've been manually putting the server in a made-up WORKGROUP, restarting and then re-attaching to the domain.
I realize that this is a broad request, but I'm throwing this out there to see if anyone can offer suggestions like spin-up scripts or something that will allow me to restart servers so that they come back up attached to the domain.
Thanks!
I've got four servers actively running and plan on putting in three more for a migration.
When I restart my running Windows EC2 instances and login it gives the feeling like it's not attached to the domain:
- Some scheduled tasks inexplicably fail
- UNC doesn't work
- I get INSUFFICIENT alerts for the drive space in CloudWatch
What's really weird is that for all intent and purpose it appears attached:
- It shows it's attached to the domain in the properties
- I can login using my domain credentials
To resolve this, I've been manually putting the server in a made-up WORKGROUP, restarting and then re-attaching to the domain.
I realize that this is a broad request, but I'm throwing this out there to see if anyone can offer suggestions like spin-up scripts or something that will allow me to restart servers so that they come back up attached to the domain.
Thanks!
ASKER
Thank you for your response, Aaron.
I did setup the VPC per the suggestion of Best Practices. This is a new, fresh domain used for Active Directory and while I am allowing some external servers from our Co-Location into the network, that is only through Security Groups (e.g. those servers only have UNC access and remain a separate domain).
In the link you sent it mentions "These DNS servers will resolve names configured in your Amazon Route 53 private hosted zones."
Do I need to explicitly private hosted zones? e.g.
If I do this, will this allow a restart to instantly connect to the Domain?
Thank you for your help!
I did setup the VPC per the suggestion of Best Practices. This is a new, fresh domain used for Active Directory and while I am allowing some external servers from our Co-Location into the network, that is only through Security Groups (e.g. those servers only have UNC access and remain a separate domain).
In the link you sent it mentions "These DNS servers will resolve names configured in your Amazon Route 53 private hosted zones."
Do I need to explicitly private hosted zones? e.g.
SERVER.DOMAIN.net IN A 10.0.10.100If I do this, will this allow a restart to instantly connect to the Domain?
Thank you for your help!
My experience is mostly with actual domain controllers and I know they exhibit the exact same issue when the domain joined machine doesn't have the domain in dns so it's most likely the same problem. I do find it odd that it's not setup this way for you already but it does seem to be the issue.
ASKER
Thanks Aaron:
When you say "I know they exhibit the exact same issue when the domain joined machine doesn't have the domain in dns so it's most likely the same problem"
Is the DNS you are referring to, in the case of Amazon going to be actual entries in Route53? It's really where I manage all of the DNS for our company.
If so, do I need to explicitly add on a server-by-server basis a record for the Private IP Address? This doesn't seem correct because some Servers will have an Elastic IP associated with them (especially those within the Public subnets). Maybe those should only be Private CIDR's because of their association to the domain.
Here is a screenshot of the new entry for the only server I have running in the Private subnet:
private-dns.png
When you say "I know they exhibit the exact same issue when the domain joined machine doesn't have the domain in dns so it's most likely the same problem"
Is the DNS you are referring to, in the case of Amazon going to be actual entries in Route53? It's really where I manage all of the DNS for our company.
If so, do I need to explicitly add on a server-by-server basis a record for the Private IP Address? This doesn't seem correct because some Servers will have an Elastic IP associated with them (especially those within the Public subnets). Maybe those should only be Private CIDR's because of their association to the domain.
Here is a screenshot of the new entry for the only server I have running in the Private subnet:
private-dns.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help, Aaron. I was able to perform an nslookup and ping successfully from a couple different servers that have this problem. Below are the results. Any other suggestions that I can try?
Thanks!
PS C:\Users\someitguy> nslookup DOMAIN.net
Server: AWS-1BE40DEF26.DOMAIN.net
Address: 10.0.30.225
Name: DOMAIN.net
Addresses: 10.0.30.225
10.0.20.23
PS C:\Users\someitguy> ping DOMAIN.net
Pinging DOMAIN.net [10.0.30.225] with 32 bytes of data:
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Ping statistics for 10.0.30.225:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
...
Thanks!
PS C:\Users\someitguy> nslookup DOMAIN.net
Server: AWS-1BE40DEF26.DOMAIN.net
Address: 10.0.30.225
Name: DOMAIN.net
Addresses: 10.0.30.225
10.0.20.23
PS C:\Users\someitguy> ping DOMAIN.net
Pinging DOMAIN.net [10.0.30.225] with 32 bytes of data:
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Reply from 10.0.30.225: bytes=32 time<1ms TTL=255
Ping statistics for 10.0.30.225:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
...
well, there goes my idea. Are you doing UNC with a FQDN or just the netbios shortname? Is the DNS suffix set on the NIC correctly (so you type servername and it automatically appends servername.domain.com).
ASKER
This is good troubleshooting, but the issue still remains. I suspect that this will be resolved by using a document in the AWS EC2 Systems Manager Shared Resources. The key to this is that SimpleAD is Active Directory as-a-service, so some typical things like DNS server access/configuration aren't part of the plan. I suspect that I'm being a little bit of a "johnny-jump-off" on this so I'm going to close this question until I do some testing to confirm.
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/dns_with_simple_ad.html