This repository has been deprecated in favor of https://github.com/aws-ia/cfn-ps-microsoft-activedirectory.
We will archive this repository and keep it publicly available until May 1, 2024.
AWS Quick Start Team
License: Apache License 2.0
We will archive this repository and keep it publicly available until May 1, 2024.
What Region are you launching this in? Do you have access or the ability to leverage AWS Secrets Manager? We currently generate some passwords with Secrets Manager, as well as store the Password you specify in secrets manager. If you can provide the error message that would be greatly appreciated.
Originally posted by @virtlima in #15 (comment)
Create fails for DomainController1 with event message "API: ec2:RunInstances Not authorized for images: [ami-a04e16cf]" in Mumbai (ap-south-1).
I also get the same error in Seoul (ap-northeast-2), but with ami-9e75d9f0.
I stopped trying after that.
Getting error at this line https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/blob/main/scripts/Post-Config.ps1#L27
Get-ADDomain : The term 'Get-ADDomain' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and try again.
At C:\ProgramData\Amazon\SSM\InstanceData\i-08462dbc62ba247b3\document\orchestr
ation\f48d16ad-015e-447c-b9e0-5fd0daf63d73\downloads\Post-Config.ps1:25 char:11
+ $Domain = Get-ADDomain
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-ADDomain:String) [], Comman
dNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
failed to run commands: exit status 255
Any help appreciated.
Hey,
I try to use
Template_1_AD_2012R2.template
But it hangs on
DomainController1WaitCondition
Those are the parameters
I put quite strong password, at least 8 chars with both numbers lower upper and digits.
After a long time I get:
Embedded stack <...> was not successfully created: The following resource(s) failed to create: [DomainController1WaitCondition].
Any ideas?
Thanks
11:13:22 UTC-0400 | CREATE_FAILED | AWS::EC2::Instance | DomainController2 | Failed to receive 1 resource signal(s) within the specified duration |
---|
This is the error I received. I literally ran the stack two days ago and it succeeded. Now it hangs on the second DC for 20+ minutes and then rolls back. I am running now again with Rollback disabled..
The documentation https://aws-quickstart.github.io/quickstart-microsoft-activedirectory/#_security indicates that three security groups are created:
DomainControllerSG with ports for TCP5985, TCP53, UDP53, TCP80, TCP3389 from VPC CIDR and all from self and UDP123, TCP135, UDP138, UDP137, TCP139, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, TCP9389, TCP5722, UDP5355, (ICMP -1) from DomainMemberSG
DomainMemberSG with ports for UDP88, TCP88, TCP445, UDP445, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636 from the AD controllers
RDGWSecurityGroup with ports for TCP3389 from RDGWCIDR
However, the CloudFormation Stacks create only two security groups with names and rules that differ from the documentation:
DomainControllersSecurityGroup with ports for UDP445, UDP138, UDP49152 - 65535, UDP464, TCP464, TCP49152 - 65535, UDP389, UDP53, TCP389, UDP123, TCP3389, TCP445, TCP9389, TCP5985, TCP3268, TCP88, TCP135, TCP636,
TCP3269, TCP53, UDP88 and all from self
DomainMembersSecurityGroup with ports for TCP3389, TCP5985, TCP5986
Hi,
I'm new to Git and AWS and I was trying to use cloud formation to deploy "https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/welcome.html" but when ever I run this template from Cloud Stack if errors and said that following doesn't exist: "submodules/quickstart-aws-vpc",
"templates/aws-vpc.template"
I created those folders in my S3 and uploaded template but still doesn't work.
How do I ref. Github in AWS CloudFormation? I would appreciate if you could help.
When I attempt to use the quickstart, I get this error while it's trying to to create the Remote Desktop Gateway.
Embedded stack arn:aws:cloudformation:ap-southeast-2:972620357255:stack/Active-Directory-DS-RDGWStack-1FD6NW99W1XIQ/4f63d070-c8fe-11e8-a752-06a653fc8ec8 was not successfully created: The following resource(s) failed to create: [RemoteDesktopGatewaySG, RDGWHostRole, EIP1].
I ran the quickstart in the Sydney Region.
Thanks if anyone has a solution to this!
Hi, the mgmt-1.template description claims to deploy an Enterprise CA. When I RDP into this instance, its list of server roles does not include Active Directory Certificate Services and certsrv.msc is not found.
Is the description wrong, or could CA feature installation have failed?
Hi good morning.
I actually have an OpenVPN AMI on another VPC in the same region where I launched the Scenario-2 master stack.
I've done the Peering connection between the OpenVPN VPC and the Scenario-2 VPC, I've made a Security group for the traffic coming from the OpenVPN VPC and attached it to the Scenario-2 DC1 and DC2, but still I can't connect to my Scenario-2 DCs. The only way that I managed to connect is associating the private subnets from the Scenario-2 VPC to the route table from that VPC.
I don't know if this is the right way to do it or if there is a better and correct way to do it.
Can you help me?
@virtlima
the bring your own vpc ad3 template does not include RDP gtwy to access resources externally where the other from scratch vpc builds do. Not sure if this is oversight or intended. Would like to see existing vpc include this.
When getting Instances IDs the Automation Document only relies on the Tag of Name. If their are instances with the same Name Tag this causes issues when running Automation. Need a mechanism which to get only the instance Ids deployed by the CloudFormation Stack.
When deploying the Quick Start in scenario 1 the SSM automation sometimes freezes at the step configDC1
.
On investigation, I found that during this frozen state the DC1 instance could not be reached by SSM Session Manager. Connecting via RDP and running Get-DnsClientServerAddress
revealed that no DNS server was configured (and so the SSM agent could not reach ssm.amazonaws.com). I encountered this issue quite a few times, and manually running Start-DscConfiguration
via RDP would allow the automation to resume.
I believe this is due to an issue in scripts/ConfigDC1.ps1
. DnsServerAddress[DnsServerAddress] (line 211) depends on [WindowsFeature]DNS, but [NetIPInterface]DisableDhcp (line 193) does not, so if a reboot occurs between those two resources then no DNS server will be configured at boot. Manually running Start-DscConfiguration
would then resume the configuration, correctly setting the DNS server to 127.0.0.1
.
I think I was able to resolve the problem by adding [WindowsFeature]DNS as a DependsOn for [NetIPInterface]DisableDhcp, [IPAddress]SetIP and [DefaultGatewayAddress]SetDefaultGateway, but this does produce a warning when [WindowsFeature]DNS is installing since a static IP is not set.
Lines 193-216 in my updated script are now
NetIPInterface DisableDhcp {
Dhcp = 'Disabled'
InterfaceAlias = 'Primary'
AddressFamily = 'IPv4'
DependsOn = '[NetAdapterName]RenameNetAdapterPrimary', '[WindowsFeature]DNS'
}
IPAddress SetIP {
IPAddress = $IPADDR
InterfaceAlias = 'Primary'
AddressFamily = 'IPv4'
DependsOn = '[NetAdapterName]RenameNetAdapterPrimary', '[WindowsFeature]DNS', '[NetIPInterface]DisableDhcp'
}
DefaultGatewayAddress SetDefaultGateway {
Address = $GatewayAddress
InterfaceAlias = 'Primary'
AddressFamily = 'IPv4'
DependsOn = '[NetAdapterName]RenameNetAdapterPrimary', '[WindowsFeature]DNS', '[NetIPInterface]DisableDhcp'
}
DnsServerAddress DnsServerAddress {
Address = '127.0.0.1'
InterfaceAlias = 'Primary'
AddressFamily = 'IPv4'
DependsOn = '[WindowsFeature]DNS', '[NetIPInterface]DisableDhcp'
}
I am not certain if this is the correct way to fix the issue, or even if I have correctly identified the root cause of the issue I was having, but it seemed to work for me.
My on-premise Domain Controller is 2019.
Can you please update the master Stack to use Windows 2019 Server?
Regards!
Without being able to add comments in json, its difficult to use this template as the basis for new company infrastructure. It would be great if all these examples were converted to yaml.
I've notice the CF code here doesn't support t2.small instances in the main/sub modules. That instance type does fall within the specs for the OSes, and would be handy for smaller environments, labs, etc. Is this intentional? If not I can throw in a commit to update that, just wasn't sure if there was a list of supported instance types that t2.small wasn't on or something like that.
Example:
ADServerInstanceType:
AllowedValues:
- t2.medium
- t3.medium
- t2.large
- t3.large
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
Default: m5.large
Description: Amazon EC2 instance type for Active Directory Controller instances
Type: String
The ad-n.template files have the following issues when deploying in GovCloud:
The ad-1.template file has the following issue when deploying in GovCloud:
For some reason SSM RunCommand is failing on DC1/2, scenario 1.
Looked around in SSM, but couldn't figure out what's wrong. CFN reference to S3 is correct, and I successfully downloaded the template file from inside the instance.
install-ad-modules.ps1 is the one showing on the logs, but just because is the first one. I tried to manually run the SSM RunCommand on the other scripts (like LCM-Config.ps1), and it fails too.
I've created a new SSM Document to download the S3 file to the instance (aws:downloadcontent) and it works fine.
On CloudWatch I'm getting:
----------ERROR-------
AccessDenied: Access Denied
status code: 403, request id: XXXXXX, host id: XXXXXX
----------ERROR-------
./install-ad-modules.ps1 : The term './install-ad-modules.ps1' is not recognized as the name of a cmdlet, function,
script file, or operable rogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\ProgramData\Amazon\SSM\InstanceData\i-XXXXXX\document\orchestration\XXXXXX\runPowerShellScript_script.ps1:4 char:2
It doesn't look like there is a Cloudformation template for any of the scenarios when trying to launch into a new VPC. I'm trying to launch the quickstart into a new VPC if possible.
Am testing with the latest Install-ADDSForest script and it's not working. Am seeing this error:
I logged into the box to see what happened, and the values that are being passed into the Install-ADDSForest script are incorrect.
From the Install-ADDSForest.ps1 transcript:
Host Application: powershell.exe -Command c:\cfn\scripts\Install-ADDSForest.ps1 -DomainNetBIOSName etrn-addc1 -DomainAdminUser StackAdmin -DomainDNSName awsetrn.etrn.com -SSMParamName CFN-ADPassword-onYissgUM3pU
But in the script, this is the command being run:
Install-ADDSForest -DomainName $DomainDNSName -DomainNetbiosName $DomainNetBIOSName -SafeModeAdministratorPassword (ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force) -DomainMode Default -ForestMode Default -Confirm:$false -Force
The value in parameter $DomainNetBIOSName is actually the hostname, as defined by CFT parameter ADServer1NetBIOSName.
Here's the problem right here in the CFT. The CFT needs to be updated for the Quickstart to work.
"2-install-adds": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Install-ADDSForest.ps1 -DomainNetBIOSName ", { "Ref": "ADServer1NetBIOSName" }, " -DomainAdminUser ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ]
Update ADServer1NetBIOSName with DomainNetBIOSName.
Originally posted by @Schizamp in https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/issue_comments#issuecomment-424430126
The script: Install-ADDSForest.ps1 doesn't use the parameter: DomainNetBIOSName at all when call Install-ADDSForest, I have to specify different DomainNetBIOSName.
Hi,
I'm trying to use this quick start in AWS Gov region and I copied "quickstart-microsoft-activedirectory" to my S3 and modify template to point to my S3.
It failed with following error: Partition "aws" is not valid for resource "arn:aws:iam::accountnumber:role/ADDC-AWSQuickstartADDSRole-number".
(Service: AmazonIdentityManagement; Status Code: 400, Error Code: malformedPolicyDocument)
Yes, I were able to deploy Just after I've changed the password from Admin12xrfD!# (example) to e.g. AdCmFXan12!%2. Likely, "Admin" was the part of the password phrase and user name simultaneously - looks like it fell against some DC policy, I suppose. After the password change, CF stack has been deployed seamlessly. I had analyzed logs in CloudWatch Logs and noticed the exception on violating password policy. You may easily try to replicate the issue.
Originally posted by @smolnik in #15 (comment)
The Install-ADDSDC.ps1 file is full of syntax errors. I receive the following errors when running the file.
2018-07-26 12:06:31,141 [DEBUG] Running command 2-add-dc
2018-07-26 12:06:31,141 [DEBUG] No test for command 2-add-dc
2018-07-26 12:06:31,750 [ERROR] Command 2-add-dc (powershell.exe -Command c:\cfn\scripts\Install-ADDSDC.ps1 -DomainNetBIOSName REDACTED-DomainAdminUser REDACTED-DomainDNSName REDACTED -SSMParamName REDACTED) failed
2018-07-26 12:06:31,750 [DEBUG] Command 2-add-dc output: At C:\cfn\scripts\Install-ADDSDC.ps1:306 char:187
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="✓" ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:310 char:18
+ </form> </li>
+ ~
The '<' operator is reserved for future use.
At C:\cfn\scripts\Install-ADDSDC.ps1:359 char:250
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="✓" ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:394 char:92
+ ... ss="description">Be notified when participating or @mentioned.</span>
+ ~
Missing property name after reference operator.
At C:\cfn\scripts\Install-ADDSDC.ps1:394 char:92
+ ... ss="description">Be notified when participating or @mentioned.</span>
+ ~
The '<' operator is reserved for future use.
At C:\cfn\scripts\Install-ADDSDC.ps1:454 char:242
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="✓" ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:468 char:10
+ </form> </div>
+ ~
The '<' operator is reserved for future use.
At C:\cfn\scripts\Install-ADDSDC.ps1:676 char:293
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="✓" ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:827 char:198
+ ... UTF-8" method="get"><input name="utf8" type="hidden" value="✓" ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:830 char:12
+ </form> </details-dialog>
+ ~
The '<' operator is reserved for future use.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : AmpersandNotAllowed
Thanks!
I learned the hard way that your stack name cannot contain "aws", "amazon", or "amzn", because some resources created have that constraint. It may be worth mentionning in the doc.
Hi good afternoon.
I have setted up the scenario 1 with the new vpc quickstart.
How can i connect with rdp to my server? I need to setup a rdgateway?
How can i join a windows 10 pro pc to my aws new cloud domain?
I don't find any documentation about this.
Thanks.
I am running into a DomainController Wait Condition error when deploying scenario1 of the Cloudformation Stack. The high-level error I receive is Embedded stack arn:aws:cloudformation:us-east-2:129774511219:stack/Active-Directory-DS-ADStack-15BBY8T0X8B52/b979a2a0-61ed-11e8-8912-50faf8bfacd1 was not successfully created: The following resource(s) failed to create: [DomainController2WaitCondition].
I'm getting below error when trying to run scenario 1.
C:\ProgramData\Amazon\SSM\InstanceData\i-0955fb4db3df03d62\document\orchestrati
on\7a564895-984e-4f81-bfa7-539e6974ac6f\downloads\ConfigDC1.ps1 : A parameter
cannot be found that matches parameter name 'PrivateSubnet1CIDR
Looking at the code, it seems ConfigDC1.ps1 doesn't define this parameter in its list of parameters. Yet, ad-1-yaml.template
calls ConfigDC1.ps1 with PrivateSubnet1CIDR parameter.
commandLine: "./ConfigDC1.ps1 -ADServer1NetBIOSName {{ADServer1NetBIOSName}} -DomainNetBIOSName {{DomainNetBIOSName}} -DomainDNSName {{DomainDNSName}} -ADAdminSecParam {{ADAdminSecParamName}} -ADAltUserSecParam {{ADAltUserSecParamName}} -RestoreModeSecParam {{RestoreModeSecParamName}} -SiteName {{global:REGION}} -PrivateSubnet1CIDR {{PrivateSubnet1CIDR}} -PublicSubnet1CIDR {{PublicSubnet1CIDR}} -PrivateSubnet2CIDR {{PrivateSubnet2CIDR}} -PublicSubnet2CIDR {{PublicSubnet2CIDR}}"
I get the following Create Failed event message when trying to launch it in Paris (eu-west-3):
Template error: Unable to get mapping for AWSAMIRegionMap::eu-west-3::WS2012R2
The Mappings section of the template just needs to have the Paris region added with the correct ami id.
There's a discrepancy in allowed instance types for the RDGW Instance Type which allows the user to specify an instance type in the master which is not valid the the nested template.
RDGWInstanceType:
Description: Amazon EC2 instance type for the Remote Desktop Gateway instances
Type: String
Default: t3.large
AllowedValues:
- t2.small
- t2.medium
- t2.large
- t3.small
- t3.medium
- t3.large
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
RDGWInstanceType:
Description: Amazon EC2 instance type for the Remote Desktop Gateway instances
Type: String
Default: t3.2xlarge
AllowedValues:
- t2.large
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge
- t3a.micro
- t3a.small
- t3a.medium
- t3a.large
- t3a.xlarge
- t3a.2xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5a.large
- m5a.xlarge
- m5a.2xlarge
Specifying t2.small, t2.medium or m5.4xlarge in the master stack will cause the RDGWStack stack creation to fail.
I have been racking my head on this one for some time. I am running the AD-1.template in GovCloud in an existing VPC. I have all my parameters correct and have even set the Wait Condition to 4 hours but always get the Failed Signal for DC2 to complete configuration.
Here is the last CloudWatch Log entry.
VERBOSE: [DC1]: LCM: [ Start Resource ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: LCM: [ Start Test ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Test-TargetResource: Testing the
network adapter Name 'Primary'.
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Find-NetworkAdapter: Finding
network adapters matching the parameters.
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Find-NetworkAdapter: 1 network
adapters were found matching the parameters.
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Test-TargetResource: A network
adapter was found with the intended new name 'Primary' of the Adapter. No rename required.
VERBOSE: [DC1]: LCM: [ End Test ] [[NetAdapterName]RenameNetAdapterPrimary] in 1.5430 seconds.
VERBOSE: [DC1]: LCM: [ Skip Set ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: LCM: [ End Resource ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: LCM: [ Start Resource ] [[User]AdministratorPassword]
16:46:20
VERBOSE: [DC1]: LCM: [ Start Test ] [[User]AdministratorPassword]
VERBOSE: [DC1]: LCM: [ Start Test ] [[User]AdministratorPassword]
I have since ran the script again, I can view the logs and see that the machine was started and DC1 is configured properly. DC2 instance is launched however none of the PS scripts are run due to the Signal not being sent. I can also ping each machine from one another. Any suggestions?
When Secrets Manager secrets are converted by SSM, the plaintext passwords are recorded in CloudWatch logs
Hello, as described above I am not able to remote into the instance after running a default scenario 3 template. I am not sure if I did something wrong? Any help would be greatly appreciated.
Thank You!
Thanks for resolving many of the outstanding issues with this template over the years. I've had different issues which have all been resolved!! But I've been troubleshooting this RDGW malformed policy document when deploying the CF template in the GovCloud region!!
VPC Stack succeeds, AD stack succeeds but the RDGW fails! Here are details:
Please advise, I've changed to keep resources on delete so I'm hoping I can leverage a separate RDGW quick start/CF template to address but would prefer to use an all in one solution!!
ad-2.template line 396:
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;",
This sets the DNS to AWS default DNS it should be:
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.IPv4Address.IpAddress;"
To setup the AD DNS to the AD IP Address!
Hello,
I need to subset this quick start to do something very specific: launch two Windows Server 2012 R2 instances into an existing VPC, create a domain controller with all roles from one and join the second instance to the first DC with all roles. I'm also a bit of CloudFormation newbie. My plan was to find the code in this quick start that does that and modify it for my needs.
However, that's easier said than done. Can the authors recommend an approach to slimming this template down? I am especially confused about the role of the quick start assets loaded to/from S3. Where do they come from and are they what the wait conditions are set to await completion of?
Thx!
Deployment works fine. However, when performing join domain against a computer, I will receive an error message similar to the following:
Computer 'EC2AMAZ-XXXXX' was successfully joined to the new domain 'example.com', but renaming it to
'newname-srv1' failed with the following error message: The directory service is busy
Both domain controllers' resource usage is low (< 0% for CPU Utilization and <25% memory utilization) and there is barely any traffic coming into the instances.
Hello,
I am trying to use https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/templates/ad-1-ssm.template
template to deploy AD into my VPC. I created my own VPC and passed the parameters to CloudFormation stack. However, I am getting the error below.
Could you please point out to me what could be the cause of the error?
VERBOSE: [DSDC01]: [[xADDomain]PrimaryDC] Unhandled
error occured, detail here:
Message : Server instance not found on the given port.
ParamName :
Data :
{}
InnerException : System.ServiceModel.FaultException: The operation failed
because of a bad parameter.
TargetSite : Void
ThrowExceptionForFaultDetail(Microsoft.ActiveDirectory.WebServices.Proxy.FaultD
etail,
System.ServiceModel.FaultException)
StackTrace : at
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetai
l(FaultDetail
faultDetail, FaultException faultException)
at
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault
adwsFault,
FaultException faultException)
at
Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequ
est request)
at
Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest
request)
at
Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDi
rectory.Management
.IADSyncOperations.Search(ADSessionHandle handle,
ADSearchRequest request)
at
Microsoft.ActiveDirectory.Management.ADObjectSearcher.GetRootDSE()
at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetRootDSE()
at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetConnectedStore(
)
at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetCmdletSessionIn
fo()
at
Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.ADGetCmdletBase
ProcessCSRoutine()
at
Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
HelpLink :
Source : Microsoft.ActiveDirectory.Management
HResult : -2147024809
VERBOSE: [DSDC01]: [[xADDomain]PrimaryDC]
ServiceModel FaultException detected and domain should exist, performing
retry...
VERBOSE: [DSDC01]: [[xADDomain]PrimaryDC] Attempt 1
of 5 to call Get-ADDomain failed, retrying in 30 seconds.
Non-Windows instances need credentials when joining an AD domain, but giving all instances access to the Admin credential that the quickstart stores in secrets manager does not meet security best practices.
For a secure setup, the AWS documentation suggests to create a AD user with minimal privileges to join a hosts to the domain.
I suggest to add an additional optional parameter to the quickstart to optionally store these credentials in secrets manager and create the corresponding user while setting up the MGMT1 instance.
Getting the following error on Step 5 of the SSM Automation Document:
The term 'DhcpClient' is not recognized as
the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is
correct and try again.
Tried running this solution 4 times and each time after creating the first domain controller it times out.
Greetings -
I wanted to double check/review some of the ports listed in ad-1.template and whether they were required for Active Directory or not.
Port 5722 is only used on a Windows Server 2008 domain controller or on a Windows Server 2008 R2 domain controller.
[source]
I also have a question about the need of inbound/ingress rules being defined for 'DomainMembersSG' at all. [line 915] With security groups being stateful, wouldn't the default outbound rule of 0.0.0.0/0 be enough? I believe this is how the default Amazon WorkSpaces (Windows) is implemented for example (SG: d-#_workspacesMembers).
Lastly, it may be helpful to add a description for each port:
Looking forward to hearing your thoughts.
Cheers,
Issue Description:
VPCStack
launches successfully however, ADStack
fails with creation of resource DomainController2
.runDc1Mof
stays stuck in InProgress
state for more than an hour that exceeds the Timeout
for CreationPoicy
associated to DomainController2
.Master Template used to create stack - https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/blob/main/templates/ad-master-1.template
Attempting to deploy this stack with Scenario 1 using the
Where the Amazon bucket is https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/templates/
These issues all have the same output as the current issue:
#54
#46
#42
Essentially there is a timeout after DomainController2 is unable to send the [SUCCESS] message. There are several logs observed in the logging group.
Following steps from prior issues we find the following:
runPowerShellScript/stderr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:96
char:5
+ Import-DscResource -Module NetworkingDsc
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'NetworkingDsc'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:97
char:5
+ Import-DscResource -Module xActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'xActiveDirectory'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:98
char:5
+ Import-DscResource -Module ActiveDirectoryCSDsc
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'ActiveDirectoryCSDsc'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:99
char:5
+ Import-DscResource -Module ComputerManagementDsc
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'ComputerManagementDsc'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:100
char:5
+ Import-DscResource -Module xDnsServer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'xDnsServer'.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : ModuleNotFoundDuringParse
failed to run commands: exit status 255```
```Install-PackageProvider : No match was found for the specified search criteria
for the provider 'NuGet'. The package provider requires 'PackageManagement'
and 'Provider' tags. Please check if the specified package has the tags.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\937c5128-4c70-4b92-8889-3056a35a7e87\downloads\install-ad-modules.ps1:8
char:1
+ Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5 -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Power...PackageProvi
der:InstallPackageProvider) [Install-PackageProvider], Exception
+ FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.Pac
kageManagement.Cmdlets.InstallPackageProvider```
```Exception calling "ShouldContinue" with "2" argument(s): "Windows PowerShell
is in NonInteractive mode. Read and Prompt functionality is not available."
At C:\Program
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7392 char:8
+ if($Force -or $psCmdlet.ShouldContinue($shouldContinueQueryMessag ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : PSInvalidOperationException
Set-PSRepository : NuGet provider is required to interact with NuGet-based
repositories. Please ensure that '2.8.5.201' or newer version of NuGet
provider is installed.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\937c5128-4c70-4b92-8889-3056a35a7e87\downloads\install-ad-modules.ps1:9
char:1
+ Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-PSRepository], Invali
dOperationException
+ FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Set-PSRepository
Other logging output exists, but seems to have been successful.
Currently, I have been trying to setup our environment as close to your testing environment as possible but are unable to create a successful deployment.
Is there any steps that can be taken to resolve this issue?
Getting error, can you update ami?
The max length of the DomainDNSName parameter varies across templates. For Example ad-master-3 and ad-1 templates has a max length of 255 but the ad-master-1 and ad-master-2 template has the max length of 25. I think a restriction of max length 25 is low for DomainDNSName.
ad-master-1 template
"DomainDNSName": {
"AllowedPattern": "[a-zA-Z0-9\\-]+\\..+",
"Default": "example.com",
"Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com",
"MaxLength": "25",
ad-master-3 template
"DomainDNSName": {
"AllowedPattern": "[a-zA-Z0-9\-]+\..+",
"Default": "example.com",
"Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com",
"MaxLength": "255",
quickstart-microsoft-activedirectory/templates/ad-2012r2-2.template
Lines 237 to 282 in 6967d02
Parameters:
LatestAmazonWindows2012R2AmiId:
Type : 'AWS::SSM::Parameter::Value<String>'
Default: '/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base'
...
Properties:
ImageId: !Ref LatestAmazonWindows2012R2AmiId
Hi, several links in the Launch the Quick Start table at Active Directory on the AWS Cloud
Quick Start Reference Deployment point to http://qs_launch_permalink/. For example: Deploy self-managed Active Directory into a new VPC on AWS
.
These links do not function.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.