Running Microsoft AD Primary Domain Controller on AWS

Everyone has aging servers, it seems they are old by the time they turn on.   Coupled with Microsofts complex licensing for server, when it came around that we needed some of the newer features naming custom certificates from Microsoft Certificate Authority we chose to spin up a simple EC2 server to make our lives easier vs jumping through hoops to upgrade our old server, or purchase new hardware.

This configuration requires a bit more than just an EC2 Instance.

  • A new Amazon VPC, if you run AD exposed to the public, you are insane.
  • A Direct VPN connection to our office
  • A Nat Instance for the private VPC to connect to the internet without having to pipe through the vpn.
  • A VPN connection, or a “bastion” instance to connect to the VPC if the primary VPN is down.
  • A security device, to act as a VPN endpoint on site. (Sonicwall TZ-210) in our case.

Below is what we came up withscilucent-ad

Bot the ELB and the Nat instance sit in a “Public” vpc subnet, while CA-1 sits in a private one.   Only the private subnet has access to the local network link in the direct VPN connection.

The Sonicwall providers monitoring via ping over the dual vpn connections to AWS and will attempt to rectify any issues by renegotiating the tunnel.  In reality this has been about 80% reliable.

For the AWS windows instance you must use an EBS backed instance or you will have a bad time.  Treat this like any other windows server you have, ensure your are backing it up properly, security is well configured and that you have a disaster plan in place.