Build an AD domain on a Windows instance and join a client to the AD domain - Elastic Compute Service

Active Directory (AD) is a directory service technology developed by Microsoft. You can use AD to manage and organize users, computers, and other objects in a network and provide authentication, authorization, and directory services. An AD domain is a logical group that serves as the basic unit of AD. All computers, users, and other objects in an AD domain share the same settings, such as policy configurations and security policies. This topic describes how to build an AD domain and join a client to the AD domain. In the example, Elastic Compute Service (ECS) instances that run Windows Server 2016 Datacenter are used.

Prerequisites

Two ECS instances are created. One ECS instance serves as an AD domain controller of an AD domain and the other ECS instance serves as a client to join the AD domain. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

The following configurations are used in this topic:

Networking information: The ECS instances are deployed in a virtual private cloud (VPC) and connected to a vSwitch that is associated with the CIDR block 172.31.0.0/16.
Domain information: The root domain name of an AD domain is used. Example: example.com.
IP addresses of ECS instances: The IP address 172.31.106.88 is assigned to the ECS instance that is used as an AD domain controller. The IP address 172.31.106.87 is assigned to the ECS instance that is used as an AD domain client.
Important
When you build an AD domain, make sure that the IP address of each ECS instance remains unchanged to ensure normal access to the instance.

Step 1: Deploy an AD domain controller

Important

We recommend that you do not deploy an AD domain controller by performing the following operations: create a custom image from an ECS instance to which an AD domain controller is deployed, and then create a new ECS instance to which an AD domain controller is deployed from the custom image. If you perform the preceding operations to deploy an AD domain controller, specify the hostname of the original instance for the new instance during instance creation. Alternatively, change the hostname of the new instance to the hostname of the original instance after you create the new instance.

Connect to the ECS instance that you want to use as an AD domain controller.
For more information, see Methods for connecting to an ECS instance.
Start Server Manager.
In the lower-left corner of the desktop, click the icon, enter Server Manager in the search box, and then click Server Manager in the search results.
In the Server Manager window, add roles and features.
In this example, the AD and DNS services are deployed on the same server. Perform the following steps.
Important
Specific steps are not described in this section. When you perform the steps that are not described in this section, use the default settings and click Next.
1. Click Add roles and features.
2. Select an installation type.
3. Select the server on which you want to install roles and features.
4. In the role list, select Active Directory Domain Services and DNS Server.
5. After the installation is complete, click Close.
Configure the ECS instance as an AD domain controller.
Important
Specific steps are not described in this section. When you perform the steps that are not described in this section, use the default settings and click Next.
1. In the upper-right corner of the Server Manager window, click the icon and select Promote this server to a domain controller.
2. In the Active Directory Domain Services Configuration Wizard, set the Select deployment operation parameter to Add a new forest and enter a domain name in the Root domain name field.
  In this example, example.com is entered as the root domain name.
3. Configure the domain controller options and click Next.
4. Configure the DNS options and click Next.
5. Configure the NetBIOS domain name and click Next.
6. Confirm your configurations and click Next.
7. Confirm that the prerequisites validation is complete and click Install.
  Wait for the items to be installed, restart the ECS instance, and then reconnect to the instance to check the installation results in the system configurations. If Active Directory Domain Services are installed, the domain controller information that you specified is displayed, as shown in the following figure.

Step 2: Join the client to the AD domain

Important

After you join the ECS instance that is used as a client to the AD domain, we recommend that you do not use the instance to create a custom image. Before you create a custom image from the ECS instance, we recommend that you remove the instance from the AD domain.
ECS instances that are created from a non-public image have the same security identifier (SID). If the AD domain client and the AD domain controller are created from the same custom image, you must change the SID of the client. For more information, see the Change the SID of an AD domain client section of this topic.

Connect to the ECS instance that is used as an AD domain client.
For more information, see Methods for connecting to an ECS instance.
Change the DNS server address on the AD domain client.
Change the DNS server address on the AD domain client to the IP address of the ECS instance on which the DNS server is deployed. For example, you deployed the AD domain controller and the DNS server on the same ECS instance whose IP address is 172.31.106.88 in Step 1: Deploy an AD domain controller. In this case, specify 172.31.106.88 as the DNS server address.
Check whether the IP address of the DNS server can be pinged.
The following command output that includes relevant parameters is displayed, which indicates that the DNS server can be pinged.
Join the AD domain client to the AD domain.
1. Go to the System page in the Control Panel.
  1. In the lower-left corner of the desktop, click the icon, enter control panel in the search box, and then click Control Panel in the search results.
  2. Choose System and Security > System.
2. In the upper-right corner of the Computer name, domain, and workgroup settings section, click Change settings.
3. In the System Properties dialog box, click Change.
4. In the Computer Name/Domain Change dialog box, add the information about the AD domain.
  Enter the root domain name that you specified in Step 1: Deploy an AD domain controller. In this example, example.com is used as the root domain name of the AD domain.
5. Restart the server for the changes to take effect.
After you join the ECS instance that is used as a client to the AD domain, the root domain name of the AD domain is displayed in the computer information of the instance.

Related operations

Change the SID of an AD domain client

Use the Windows built-in Sysprep tool to change the SID of an AD domain client.

Find the program named Sysprep.exe. In most cases, the program is stored in the C:\Windows\System32\Sysprep directory.
Run Sysprep.exe as an administrator, select Generalize, and then click OK.
After the AD domain client is restarted, the SID of the client changes. Then, you can rejoin the client to an AD domain.

Use an AD domain

After you build an AD domain on an ECS instance and join another ECS instance as a client to the AD domain, you can perform operations based on your business requirements, such as creating users and groups. For more information, see Active Directory Domain Services Overview.