All Products
Search
Document Center

Elastic Compute Service:What do I do if instances cannot access the AD domains of each other or instances cannot be added to the same AD domain at the same time?

Last Updated:Nov 20, 2024

This topic describes how to resolve the issue that Elastic Compute Service (ECS) instances cannot access the Active Directory (AD) domains of each other or instances cannot be added to the same AD domain at the same time.

Problem description

After you use the same Windows Server image to create multiple ECS instances, the instances cannot access the AD domains of each other or cannot be added to the same AD domain at the same time.

Cause

Instances that use the same Windows Server image have the same security identifier (SID). Therefore, the instances cannot access the AD domains of each other. You must change the SID of the instances and then build a domain environment.

Solutions

Create multiple Windows instances that have different SIDs at a time

The issue is fixed in the latest public images. Use a latest public image to create instances at a time. The instances have different SIDs.

Change the SID of a Windows instance

The built-in sysprep command in Windows can be run to remove specific system information from images used by Windows instances, including SIDs. In this example, the AutoSysprep.ps1 script file of PowerShell is used to change the SID of a Windows instance by running the built-in sysprep command. Note that the sysprep command restores User Profile to the default value. After the sysprep command is run, the files created on the desktop are deleted. If you want the script to be automatically deleted after the issue is resolved, place the AutoSysprep.ps1 script file on the desktop and execute the script.

Procedure

  1. Create a snapshot for the system disk of the instance to prevent data loss.

    For more information, see Create a snapshot of a disk.

  2. Connect to the instance.

    For more information, see Connect to a Windows instance by using a password or key.

  3. Start Command Prompt and run the powershell command to enter the PowerShell interactive mode.

    Note

    You must run the powershell commands as an administrator.

  4. Run the following command to switch to the root directory of the C drive:

    cd\
  5. Run the following command to view the SID of the instance:

    whoami /user

    A command output that is similar to the following one is displayed.

    image

  6. Click AutoSysprep to download the AutoSysprep script tool and upload the tool to the C drive of the Windows operating system.

  7. Go to the directory where the AutoSysprep.ps1 script tool is located and run the following command to view the description of the script tool:

    .\AutoSysprep.ps1 -help

    A command output that is similar to the following one is displayed. For information about the parameters, see More information.

    image

  8. Run the following command to run the script:

     .\AutoSysprep.ps1 -SkipRearm -Password "<$Password>" -PostAction "reboot"
    Note

    <$Password> specifies the password for the instance.

  9. Wait for a while and log on to the instance again.

    Note

    If the instance resides in the classic network, you must use a Virtual Network Computing (VNC) management terminal to connect to the instance. For more information, see Connect to a Windows instance by using a password.

  10. Run the following command to confirm that the SID of the instance is changed. Then, you can use the instance to build an AD domain environment.

    whoami /user

More information

Parameter description

The following section describes the parameters of theAutoSysprep.ps1 script tool:

  • -SkipRearm: retains the Window operating system in the current licensing state. If you do not specify this parameter, AutoSysprep restores the Windows operating system to the original licensing state.

  • -Password: resets the password for the instance. The password must meet the following requirements:

    • The password must be 8 to 30 characters in length and cannot start with a forward slash (/).

    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Special characters include:

      ( ) ` ~ ! @ # $ % ^ & - _ + = | { } [ ] : ; ’ < > , . ? /
    • The value of the -Password parameter is randomly generated by AutoSysprep.

    Note

    If you forget to set the password, you can reset the password in the ECS console after the instance SID is changed.

  • -Hostname: resets the hostname for the instance. The hostname must meet the following requirements:

    • The hostname must be 2 to 15 characters in length and cannot contain periods (.) and cannot be composed of only digits.

    • It can contain letters, digits, and hyphens (-).

    • The hostname cannot start or end with a period (.) or hyphen (-). It cannot contain consecutive periods (.) or hyphens (-).

    • The value of the -Hostname parameter is randomly generated by AutoSysprep.

  • -PostAction: specifies what operation to perform after the script is run. Options:

    • shutdown: the default option. The instance is stopped after the SID of the instance is changed.

    • reboot: The instance is restarted after the SID of the instance is changed.

    • quit: The original SID of the instance remains in the instance after the SID is changed.

  • -help: views the introduction of the script tool and the description of the parameters in the AutoSysprep.ps1 script.

An error occurred when you view the description of the script in Windows Server 2008

Problem description

Run the following command to view the script description:

.\AutoSysprep.ps1 -help

A command output that is similar to the following is displayed:

Unable to load file C:\Sysprep.ps1 because script execution is prohibited in this system.

Solution

Run the following command to modify the execution policy of PowerShell on the Windows operating system:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

No digital signature is generated when the script is run on Windows Server 2008

Problem description

Run the following command to run the script:

 .\AutoSysprep.ps1 -skiprearm -postaction "reboot"

A command output that is similar to the following is displayed:

Unable to load file C:\Sysprep.ps1 because the file C:\Sysprep.ps1 has not been digitally signed.

Solution

Run the following command to run the script:

powershell -executionpolicy bypass -file c:\AutoSysprep.ps1 -skiprearm -postaction "reboot"
Note

If you have no special requirements, AutoSysprep randomly generates the password and hostname.