What Region are you launching this in? Do you have access or the ability to leverage AWS Secrets Manager? We currently generate some passwords with Secrets Manager, as well as store the Password you specify in secrets manager. If you can provide the error message that would be greatly appreciated.

Originally posted by @virtlima in #15 (comment)

Create fails for DomainController1 with event message "API: ec2:RunInstances Not authorized for images: [ami-a04e16cf]" in Mumbai (ap-south-1).

I also get the same error in Seoul (ap-northeast-2), but with ami-9e75d9f0.

I stopped trying after that.

Getting error at this line https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/blob/main/scripts/Post-Config.ps1#L27

Get-ADDomain : The term 'Get-ADDomain' is not recognized as the name of a 
cmdlet, function, script file, or operable program. Check the spelling of the 
name, or if a path was included, verify that the path is correct and try again.
At C:\ProgramData\Amazon\SSM\InstanceData\i-08462dbc62ba247b3\document\orchestr
ation\f48d16ad-015e-447c-b9e0-5fd0daf63d73\downloads\Post-Config.ps1:25 char:11
+ $Domain = Get-ADDomain
+           ~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADDomain:String) [], Comman 
   dNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 
failed to run commands: exit status 255

Any help appreciated.

Hey,
I try to use
Template_1_AD_2012R2.template
But it hangs on
DomainController1WaitCondition
Those are the parameters

I put quite strong password, at least 8 chars with both numbers lower upper and digits.
After a long time I get:

Embedded stack <...> was not successfully created: The following resource(s) failed to create: [DomainController1WaitCondition].

Any ideas?
Thanks

This is the error I received. I literally ran the stack two days ago and it succeeded. Now it hangs on the second DC for 20+ minutes and then rolls back. I am running now again with Rollback disabled..

The documentation https://aws-quickstart.github.io/quickstart-microsoft-activedirectory/#_security indicates that three security groups are created:
DomainControllerSG with ports for TCP5985, TCP53, UDP53, TCP80, TCP3389 from VPC CIDR and all from self and UDP123, TCP135, UDP138, UDP137, TCP139, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, TCP9389, TCP5722, UDP5355, (ICMP -1) from DomainMemberSG
DomainMemberSG with ports for UDP88, TCP88, TCP445, UDP445, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636 from the AD controllers
RDGWSecurityGroup with ports for TCP3389 from RDGWCIDR

However, the CloudFormation Stacks create only two security groups with names and rules that differ from the documentation:
DomainControllersSecurityGroup with ports for UDP445, UDP138, UDP49152 - 65535, UDP464, TCP464, TCP49152 - 65535, UDP389, UDP53, TCP389, UDP123, TCP3389, TCP445, TCP9389, TCP5985, TCP3268, TCP88, TCP135, TCP636,
TCP3269, TCP53, UDP88 and all from self
DomainMembersSecurityGroup with ports for TCP3389, TCP5985, TCP5986

Hi,

I'm new to Git and AWS and I was trying to use cloud formation to deploy "https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/welcome.html" but when ever I run this template from Cloud Stack if errors and said that following doesn't exist: "submodules/quickstart-aws-vpc",
"templates/aws-vpc.template"
I created those folders in my S3 and uploaded template but still doesn't work.

How do I ref. Github in AWS CloudFormation? I would appreciate if you could help.

When I attempt to use the quickstart, I get this error while it's trying to to create the Remote Desktop Gateway.

Embedded stack arn:aws:cloudformation:ap-southeast-2:972620357255:stack/Active-Directory-DS-RDGWStack-1FD6NW99W1XIQ/4f63d070-c8fe-11e8-a752-06a653fc8ec8 was not successfully created: The following resource(s) failed to create: [RemoteDesktopGatewaySG, RDGWHostRole, EIP1].

I ran the quickstart in the Sydney Region.

Thanks if anyone has a solution to this!

Hi, the mgmt-1.template description claims to deploy an Enterprise CA. When I RDP into this instance, its list of server roles does not include Active Directory Certificate Services and certsrv.msc is not found.

Is the description wrong, or could CA feature installation have failed?

Hi good morning.
I actually have an OpenVPN AMI on another VPC in the same region where I launched the Scenario-2 master stack.
I've done the Peering connection between the OpenVPN VPC and the Scenario-2 VPC, I've made a Security group for the traffic coming from the OpenVPN VPC and attached it to the Scenario-2 DC1 and DC2, but still I can't connect to my Scenario-2 DCs. The only way that I managed to connect is associating the private subnets from the Scenario-2 VPC to the route table from that VPC.
I don't know if this is the right way to do it or if there is a better and correct way to do it.
Can you help me?
@virtlima

the bring your own vpc ad3 template does not include RDP gtwy to access resources externally where the other from scratch vpc builds do. Not sure if this is oversight or intended. Would like to see existing vpc include this.

When getting Instances IDs the Automation Document only relies on the Tag of Name. If their are instances with the same Name Tag this causes issues when running Automation. Need a mechanism which to get only the instance Ids deployed by the CloudFormation Stack.

When deploying the Quick Start in scenario 1 the SSM automation sometimes freezes at the step configDC1.

On investigation, I found that during this frozen state the DC1 instance could not be reached by SSM Session Manager. Connecting via RDP and running Get-DnsClientServerAddress revealed that no DNS server was configured (and so the SSM agent could not reach ssm.amazonaws.com). I encountered this issue quite a few times, and manually running Start-DscConfiguration via RDP would allow the automation to resume.

I believe this is due to an issue in scripts/ConfigDC1.ps1. DnsServerAddress[DnsServerAddress] (line 211) depends on [WindowsFeature]DNS, but [NetIPInterface]DisableDhcp (line 193) does not, so if a reboot occurs between those two resources then no DNS server will be configured at boot. Manually running Start-DscConfiguration would then resume the configuration, correctly setting the DNS server to 127.0.0.1.

I think I was able to resolve the problem by adding [WindowsFeature]DNS as a DependsOn for [NetIPInterface]DisableDhcp, [IPAddress]SetIP and [DefaultGatewayAddress]SetDefaultGateway, but this does produce a warning when [WindowsFeature]DNS is installing since a static IP is not set.
Lines 193-216 in my updated script are now

        NetIPInterface DisableDhcp {
            Dhcp           = 'Disabled'
            InterfaceAlias = 'Primary'
            AddressFamily  = 'IPv4'
            DependsOn      = '[NetAdapterName]RenameNetAdapterPrimary', '[WindowsFeature]DNS'
        }
        IPAddress SetIP {
            IPAddress      = $IPADDR
            InterfaceAlias = 'Primary'
            AddressFamily  = 'IPv4'
            DependsOn      = '[NetAdapterName]RenameNetAdapterPrimary', '[WindowsFeature]DNS', '[NetIPInterface]DisableDhcp'
        }
        DefaultGatewayAddress SetDefaultGateway {
            Address        = $GatewayAddress
            InterfaceAlias = 'Primary'
            AddressFamily  = 'IPv4'
            DependsOn      = '[NetAdapterName]RenameNetAdapterPrimary', '[WindowsFeature]DNS', '[NetIPInterface]DisableDhcp'
        }
        DnsServerAddress DnsServerAddress {
            Address        = '127.0.0.1'
            InterfaceAlias = 'Primary'
            AddressFamily  = 'IPv4'
            DependsOn      = '[WindowsFeature]DNS', '[NetIPInterface]DisableDhcp'
        }

I am not certain if this is the correct way to fix the issue, or even if I have correctly identified the root cause of the issue I was having, but it seemed to work for me.

My on-premise Domain Controller is 2019.
Can you please update the master Stack to use Windows 2019 Server?

Regards!

Without being able to add comments in json, its difficult to use this template as the basis for new company infrastructure. It would be great if all these examples were converted to yaml.

I've notice the CF code here doesn't support t2.small instances in the main/sub modules. That instance type does fall within the specs for the OSes, and would be handy for smaller environments, labs, etc. Is this intentional? If not I can throw in a commit to update that, just wasn't sure if there was a list of supported instance types that t2.small wasn't on or something like that.

Example:

ADServerInstanceType:
AllowedValues:
- t2.medium
- t3.medium
- t2.large
- t3.large
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
Default: m5.large
Description: Amazon EC2 instance type for Active Directory Controller instances
Type: String

The ad-n.template files have the following issues when deploying in GovCloud:

1. The 'AWSAMIRegionMap' does not contain an entry for 'us-gov-west-1' with a corresponding AMI

The ad-1.template file has the following issue when deploying in GovCloud:

1. The partition listed in the Resource of the policy for AD-SSM-Parameters on line 521 is hard-coded to 'arn:aws:ssm' instead of having a Fn;Sub: ["arn:${Partition} tied to the GovCloudCondition.

For some reason SSM RunCommand is failing on DC1/2, scenario 1.
Looked around in SSM, but couldn't figure out what's wrong. CFN reference to S3 is correct, and I successfully downloaded the template file from inside the instance.
install-ad-modules.ps1 is the one showing on the logs, but just because is the first one. I tried to manually run the SSM RunCommand on the other scripts (like LCM-Config.ps1), and it fails too.

I've created a new SSM Document to download the S3 file to the instance (aws:downloadcontent) and it works fine.

On CloudWatch I'm getting:
----------ERROR-------
AccessDenied: Access Denied
status code: 403, request id: XXXXXX, host id: XXXXXX

----------ERROR-------
./install-ad-modules.ps1 : The term './install-ad-modules.ps1' is not recognized as the name of a cmdlet, function,
script file, or operable rogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\ProgramData\Amazon\SSM\InstanceData\i-XXXXXX\document\orchestration\XXXXXX\runPowerShellScript_script.ps1:4 char:2

• ./install-ad-modules.ps1
• CategoryInfo : ObjectNotFound: (./install-ad-modules.ps1:String) [], CommandNotFoundException
• FullyQualifiedErrorId : CommandNotFoundException
  failed to run commands: exit status 255

Failed to create Domain Controller and receive resource signal for scenario 1 ad-master-1

Hi good morning.
I see that you have a recently closed thread that have the same problem that i'm facing.

In AWS Systems Manager says this:

As far i can see the Instance for DC2 was created but then i think some of the post creation scripts is failing to send the signal to continue.

It doesn't look like there is a Cloudformation template for any of the scenarios when trying to launch into a new VPC. I'm trying to launch the quickstart into a new VPC if possible.

Am testing with the latest Install-ADDSForest script and it's not working. Am seeing this error:

I logged into the box to see what happened, and the values that are being passed into the Install-ADDSForest script are incorrect.

From the Install-ADDSForest.ps1 transcript:
Host Application: powershell.exe -Command c:\cfn\scripts\Install-ADDSForest.ps1 -DomainNetBIOSName etrn-addc1 -DomainAdminUser StackAdmin -DomainDNSName awsetrn.etrn.com -SSMParamName CFN-ADPassword-onYissgUM3pU

But in the script, this is the command being run:
Install-ADDSForest -DomainName $DomainDNSName -DomainNetbiosName $DomainNetBIOSName -SafeModeAdministratorPassword (ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force) -DomainMode Default -ForestMode Default -Confirm:$false -Force

The value in parameter $DomainNetBIOSName is actually the hostname, as defined by CFT parameter ADServer1NetBIOSName.

Here's the problem right here in the CFT. The CFT needs to be updated for the Quickstart to work.
"2-install-adds": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Install-ADDSForest.ps1 -DomainNetBIOSName ", { "Ref": "ADServer1NetBIOSName" }, " -DomainAdminUser ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ]

Update ADServer1NetBIOSName with DomainNetBIOSName.
Originally posted by @Schizamp in https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/issue_comments#issuecomment-424430126

The script: Install-ADDSForest.ps1 doesn't use the parameter: DomainNetBIOSName at all when call Install-ADDSForest, I have to specify different DomainNetBIOSName.

Hi,
I'm trying to use this quick start in AWS Gov region and I copied "quickstart-microsoft-activedirectory" to my S3 and modify template to point to my S3.
It failed with following error: Partition "aws" is not valid for resource "arn:aws:iam::accountnumber:role/ADDC-AWSQuickstartADDSRole-number".
(Service: AmazonIdentityManagement; Status Code: 400, Error Code: malformedPolicyDocument)

Yes, I were able to deploy Just after I've changed the password from Admin12xrfD!# (example) to e.g. AdCmFXan12!%2. Likely, "Admin" was the part of the password phrase and user name simultaneously - looks like it fell against some DC policy, I suppose. After the password change, CF stack has been deployed seamlessly. I had analyzed logs in CloudWatch Logs and noticed the exception on violating password policy. You may easily try to replicate the issue.

Originally posted by @smolnik in #15 (comment)

The Install-ADDSDC.ps1 file is full of syntax errors. I receive the following errors when running the file.

2018-07-26 12:06:31,141 [DEBUG] Running command 2-add-dc
2018-07-26 12:06:31,141 [DEBUG] No test for command 2-add-dc
2018-07-26 12:06:31,750 [ERROR] Command 2-add-dc (powershell.exe -Command c:\cfn\scripts\Install-ADDSDC.ps1 -DomainNetBIOSName REDACTED-DomainAdminUser REDACTED-DomainDNSName REDACTED -SSMParamName REDACTED) failed
2018-07-26 12:06:31,750 [DEBUG] Command 2-add-dc output: At C:\cfn\scripts\Install-ADDSDC.ps1:306 char:187
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for 
future use; wrap an ampersand in double quotation marks ("&") to pass it as 
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:310 char:18
+ </form>          </li>
+                  ~
The '<' operator is reserved for future use.
At C:\cfn\scripts\Install-ADDSDC.ps1:359 char:250
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for 
future use; wrap an ampersand in double quotation marks ("&") to pass it as 
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:394 char:92
+ ... ss="description">Be notified when participating or @mentioned.</span>
+                                                                   ~
Missing property name after reference operator.
At C:\cfn\scripts\Install-ADDSDC.ps1:394 char:92
+ ... ss="description">Be notified when participating or @mentioned.</span>
+                                                                   ~
The '<' operator is reserved for future use.
At C:\cfn\scripts\Install-ADDSDC.ps1:454 char:242
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for 
future use; wrap an ampersand in double quotation marks ("&") to pass it as 
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:468 char:10
+ </form>  </div>
+          ~
The '<' operator is reserved for future use.
At C:\cfn\scripts\Install-ADDSDC.ps1:676 char:293
+ ... TF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for 
future use; wrap an ampersand in double quotation marks ("&") to pass it as 
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:827 char:198
+ ... UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for 
future use; wrap an ampersand in double quotation marks ("&") to pass it as 
part of a string.
At C:\cfn\scripts\Install-ADDSDC.ps1:830 char:12
+ </form>    </details-dialog>
+            ~
The '<' operator is reserved for future use.
Not all parse errors were reported.  Correct the reported errors and try again.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : AmpersandNotAllowed

Thanks!

I learned the hard way that your stack name cannot contain "aws", "amazon", or "amzn", because some resources created have that constraint. It may be worth mentionning in the doc.

http://www.continualintegration.com/miscellaneous-articles/how-do-you-troubleshoot-the-aws-cli-error-invalid-document-name/

Hi good afternoon.
I have setted up the scenario 1 with the new vpc quickstart.
How can i connect with rdp to my server? I need to setup a rdgateway?
How can i join a windows 10 pro pc to my aws new cloud domain?
I don't find any documentation about this.

Thanks.

I am running into a DomainController Wait Condition error when deploying scenario1 of the Cloudformation Stack. The high-level error I receive is Embedded stack arn:aws:cloudformation:us-east-2:129774511219:stack/Active-Directory-DS-ADStack-15BBY8T0X8B52/b979a2a0-61ed-11e8-8912-50faf8bfacd1 was not successfully created: The following resource(s) failed to create: [DomainController2WaitCondition].

Here is an image with more details from the nested stack.

I'm getting below error when trying to run scenario 1.

C:\ProgramData\Amazon\SSM\InstanceData\i-0955fb4db3df03d62\document\orchestrati
on\7a564895-984e-4f81-bfa7-539e6974ac6f\downloads\ConfigDC1.ps1 : A parameter 
cannot be found that matches parameter name 'PrivateSubnet1CIDR

Looking at the code, it seems ConfigDC1.ps1 doesn't define this parameter in its list of parameters. Yet, ad-1-yaml.template calls ConfigDC1.ps1 with PrivateSubnet1CIDR parameter.

commandLine: "./ConfigDC1.ps1 -ADServer1NetBIOSName {{ADServer1NetBIOSName}} -DomainNetBIOSName {{DomainNetBIOSName}} -DomainDNSName {{DomainDNSName}} -ADAdminSecParam {{ADAdminSecParamName}} -ADAltUserSecParam {{ADAltUserSecParamName}} -RestoreModeSecParam {{RestoreModeSecParamName}} -SiteName {{global:REGION}} -PrivateSubnet1CIDR {{PrivateSubnet1CIDR}} -PublicSubnet1CIDR {{PublicSubnet1CIDR}} -PrivateSubnet2CIDR {{PrivateSubnet2CIDR}} -PublicSubnet2CIDR {{PublicSubnet2CIDR}}"

I get the following Create Failed event message when trying to launch it in Paris (eu-west-3):
Template error: Unable to get mapping for AWSAMIRegionMap::eu-west-3::WS2012R2

The Mappings section of the template just needs to have the Paris region added with the correct ami id.

There's a discrepancy in allowed instance types for the RDGW Instance Type which allows the user to specify an instance type in the master which is not valid the the nested template.

ad-master-3.template

RDGWInstanceType:
Description: Amazon EC2 instance type for the Remote Desktop Gateway instances
Type: String
Default: t3.large
AllowedValues:
- t2.small
- t2.medium
- t2.large
- t3.small
- t3.medium
- t3.large
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge

rdgw-domain.template

RDGWInstanceType:
Description: Amazon EC2 instance type for the Remote Desktop Gateway instances
Type: String
Default: t3.2xlarge
AllowedValues:
- t2.large
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge
- t3a.micro
- t3a.small
- t3a.medium
- t3a.large
- t3a.xlarge
- t3a.2xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5a.large
- m5a.xlarge
- m5a.2xlarge

Specifying t2.small, t2.medium or m5.4xlarge in the master stack will cause the RDGWStack stack creation to fail.

I have been racking my head on this one for some time. I am running the AD-1.template in GovCloud in an existing VPC. I have all my parameters correct and have even set the Wait Condition to 4 hours but always get the Failed Signal for DC2 to complete configuration.

Here is the last CloudWatch Log entry.

VERBOSE: [DC1]: LCM: [ Start Resource ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: LCM: [ Start Test ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Test-TargetResource: Testing the
network adapter Name 'Primary'.
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Find-NetworkAdapter: Finding
network adapters matching the parameters.
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Find-NetworkAdapter: 1 network
adapters were found matching the parameters.
VERBOSE: [DC1]: [[NetAdapterName]RenameNetAdapterPrimary] Test-TargetResource: A network
adapter was found with the intended new name 'Primary' of the Adapter. No rename required.
VERBOSE: [DC1]: LCM: [ End Test ] [[NetAdapterName]RenameNetAdapterPrimary] in 1.5430 seconds.
VERBOSE: [DC1]: LCM: [ Skip Set ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: LCM: [ End Resource ] [[NetAdapterName]RenameNetAdapterPrimary]
VERBOSE: [DC1]: LCM: [ Start Resource ] [[User]AdministratorPassword]

16:46:20
VERBOSE: [DC1]: LCM: [ Start Test ] [[User]AdministratorPassword]
VERBOSE: [DC1]: LCM: [ Start Test ] [[User]AdministratorPassword]

I have since ran the script again, I can view the logs and see that the machine was started and DC1 is configured properly. DC2 instance is launched however none of the PS scripts are run due to the Signal not being sent. I can also ping each machine from one another. Any suggestions?

When Secrets Manager secrets are converted by SSM, the plaintext passwords are recorded in CloudWatch logs

Hello, as described above I am not able to remote into the instance after running a default scenario 3 template. I am not sure if I did something wrong? Any help would be greatly appreciated.

Thank You!

Thanks for resolving many of the outstanding issues with this template over the years. I've had different issues which have all been resolved!! But I've been troubleshooting this RDGW malformed policy document when deploying the CF template in the GovCloud region!!

VPC Stack succeeds, AD stack succeeds but the RDGW fails! Here are details:

CloudFormation errors:

CloudTrail details:

CloudTrailRDGW.txt

Please advise, I've changed to keep resources on delete so I'm hoping I can leverage a separate RDGW quick start/CF template to address but would prefer to use an all in one solution!!

ad-2.template line 396:
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;",

This sets the DNS to AWS default DNS it should be:
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.IPv4Address.IpAddress;"

To setup the AD DNS to the AD IP Address!

Hello,
I need to subset this quick start to do something very specific: launch two Windows Server 2012 R2 instances into an existing VPC, create a domain controller with all roles from one and join the second instance to the first DC with all roles. I'm also a bit of CloudFormation newbie. My plan was to find the code in this quick start that does that and modify it for my needs.

However, that's easier said than done. Can the authors recommend an approach to slimming this template down? I am especially confused about the role of the quick start assets loaded to/from S3. Where do they come from and are they what the wait conditions are set to await completion of?

Thx!

Deployment works fine. However, when performing join domain against a computer, I will receive an error message similar to the following:

Computer 'EC2AMAZ-XXXXX' was successfully joined to the new domain 'example.com', but renaming it to 
'newname-srv1' failed with the following error message: The directory service is busy

Both domain controllers' resource usage is low (< 0% for CPU Utilization and <25% memory utilization) and there is barely any traffic coming into the instances.

Hello,
I am trying to use https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/templates/ad-1-ssm.template template to deploy AD into my VPC. I created my own VPC and passed the parameters to CloudFormation stack. However, I am getting the error below.

Could you please point out to me what could be the cause of the error?

VERBOSE: [DSDC01]:                            [[xADDomain]PrimaryDC] Unhandled 
error occured, detail here: 

Message        : Server instance not found on the given port.
ParamName      : 
Data           : 
{}

InnerException : System.ServiceModel.FaultException: The operation failed 
because of a bad parameter.
TargetSite     : Void 
ThrowExceptionForFaultDetail(Microsoft.ActiveDirectory.WebServices.Proxy.FaultD
etail, 
                 System.ServiceModel.FaultException)
StackTrace     :    at 
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetai
l(FaultDetail 
                 faultDetail, FaultException faultException)
                    at 
Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault 
adwsFault, 
                 FaultException faultException)
                    at 
Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequ
est request)
                    at 
Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest 
request)
                    at 
Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDi
rectory.Management
                 .IADSyncOperations.Search(ADSessionHandle handle, 
ADSearchRequest request)
                    at 
Microsoft.ActiveDirectory.Management.ADObjectSearcher.GetRootDSE()
                    at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetRootDSE()
                    at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetConnectedStore(
)
                    at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetCmdletSessionIn
fo()
                    at 
Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.ADGetCmdletBase
ProcessCSRoutine()
                    at 
Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
                    at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
HelpLink       : 
Source         : Microsoft.ActiveDirectory.Management
HResult        : -2147024809
VERBOSE: [DSDC01]:                            [[xADDomain]PrimaryDC] 
ServiceModel FaultException detected and domain should exist, performing 
retry...
VERBOSE: [DSDC01]:                            [[xADDomain]PrimaryDC] Attempt 1 
of 5 to call Get-ADDomain failed, retrying in 30 seconds.

Non-Windows instances need credentials when joining an AD domain, but giving all instances access to the Admin credential that the quickstart stores in secrets manager does not meet security best practices.

For a secure setup, the AWS documentation suggests to create a AD user with minimal privileges to join a hosts to the domain.

I suggest to add an additional optional parameter to the quickstart to optionally store these credentials in secrets manager and create the corresponding user while setting up the MGMT1 instance.

Getting the following error on Step 5 of the SSM Automation Document:

The term 'DhcpClient' is not recognized as

the name of a cmdlet, function, script file, or operable program. Check the

spelling of the name, or if a path was included, verify that the path is

correct and try again.

Tried running this solution 4 times and each time after creating the first domain controller it times out.

Greetings -

I wanted to double check/review some of the ports listed in ad-1.template and whether they were required for Active Directory or not.

• Remove: TCP/80 [line 791] I don't think HTTP is required?
• Warn About/Remove: TCP/3389 [line 803] [line 921] The RDP port is open to the entire VPC CIDR for both Domain Controllers and Domain Members. It may be worth mentioning this in the CloudFormation Description? With Session Manager port forwarding, this may not be necessary, or perhaps can be made as an optional parameter?
• Remove: UDP/445 [line 838] [line 976] [line 985] I believe only TCP/445 is required, but UDP is not. [source 1] [source 2] I have found a few references for UDP/445 in earlier Server OS versions, so I'm not sure if it was deprecated or just a typo? [example]
• Remove: TCP/5722 [line 902]

Port 5722 is only used on a Windows Server 2008 domain controller or on a Windows Server 2008 R2 domain controller.
[source]

• TCP/139 [line 811] [line 899] Line 811 and 899 are duplicate coverage. Is that port needed for all of the VPC CIDR?
• TCP/445 [line 807] Is SMB needed for all of the VPC CIDR?
• TCP/5985 - [line 787] [line 917] Is WinRM 2.0 required at all? If so, why for all of the VPC CIDR (domain members too)?
• UDP/5355 - [line 891] is Link-Local Multicast Name Resolution (LLMNR) required? Generally I see recommendations to disable this.

I also have a question about the need of inbound/ingress rules being defined for 'DomainMembersSG' at all. [line 915] With security groups being stateful, wouldn't the default outbound rule of 0.0.0.0/0 be enough? I believe this is how the default Amazon WorkSpaces (Windows) is implemented for example (SG: d-#_workspacesMembers).

Lastly, it may be helpful to add a description for each port:

• tcp&udp/53 - DNS
• tcp&udp/88 - Kerberos
• udp/123 - W32Time
• tcp/135 - RPC Endpoint Mapper
• udp/137 - NetBIOS Name Resolution
• udp/138 - NetBIOS Datagram Service
• tcp/139 - NetBIOS Session Service
• tcp&udp/389 - LDAP
• tcp/445 - SMB
• tcp&udp/464 - Kerberos Password V5
• tcp/636 - LDAP SSL
• tcp/3268 - LDAP GC
• tcp/3269 - LDAP GC SSL
• tcp/9389 - Active Directory Web Services (ADWS)

Looking forward to hearing your thoughts.

Cheers,

Issue Description:

• While trying to launch quickstart for scenario Deploying self-managed AD into a new VPC, VPCStack launches successfully however, ADStack fails with creation of resource DomainController2.
• Looking into it, we figured out that step 7 runDc1Mof stays stuck in InProgress state for more than an hour that exceeds the Timeout for CreationPoicy associated to DomainController2.
• Additionally, we never faced this issue before last commit to this repo that was 10 days ago.

Master Template used to create stack - https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/blob/main/templates/ad-master-1.template

Attempting to deploy this stack with Scenario 1 using the

• QuickStart button,
• Amazon's bucket for ad-master-1.template
• Amazon's bucket for ad-master-1-ssm.template
• Our own VPC with the Amazon ad-1.template
• Custom bucket with ad-master-1.template
• Custom bucket with ad-master-1-ssm.template

Where the Amazon bucket is https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/templates/

These issues all have the same output as the current issue:
#54
#46
#42

Essentially there is a timeout after DomainController2 is unable to send the [SUCCESS] message. There are several logs observed in the logging group.

Following steps from prior issues we find the following:

runPowerShellScript/stderr

ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:96 
char:5
+     Import-DscResource -Module NetworkingDsc
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'NetworkingDsc'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:97 
char:5
+     Import-DscResource -Module xActiveDirectory
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'xActiveDirectory'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:98 
char:5
+     Import-DscResource -Module ActiveDirectoryCSDsc
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'ActiveDirectoryCSDsc'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:99 
char:5
+     Import-DscResource -Module ComputerManagementDsc
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'ComputerManagementDsc'.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\77cfae4d-ca5d-4a5c-9416-e0f8cbf03d4f\downloads\ConfigDC1-SSM.ps1:100 
char:5
+     Import-DscResource -Module xDnsServer
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Could not find the module 'xDnsServer'.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : ModuleNotFoundDuringParse
 
failed to run commands: exit status 255```

```Install-PackageProvider : No match was found for the specified search criteria 
for the provider 'NuGet'. The package provider requires 'PackageManagement' 
and 'Provider' tags. Please check if the specified package has the tags.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\937c5128-4c70-4b92-8889-3056a35a7e87\downloads\install-ad-modules.ps1:8 
char:1
+ Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5 -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Power...PackageProvi 
   der:InstallPackageProvider) [Install-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.Pac 
   kageManagement.Cmdlets.InstallPackageProvider```
```Exception calling "ShouldContinue" with "2" argument(s): "Windows PowerShell 
is in NonInteractive mode. Read and Prompt functionality is not available."
At C:\Program 
Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7392 char:8
+     if($Force -or $psCmdlet.ShouldContinue($shouldContinueQueryMessag ...
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : PSInvalidOperationException
 
Set-PSRepository : NuGet provider is required to interact with NuGet-based 
repositories. Please ensure that '2.8.5.201' or newer version of NuGet 
provider is installed.
At C:\ProgramData\Amazon\SSM\InstanceData\i-0122e4e67148e280a\document\orchestr
ation\937c5128-4c70-4b92-8889-3056a35a7e87\downloads\install-ad-modules.ps1:9 
char:1
+ Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Set-PSRepository], Invali 
   dOperationException
    + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Set-PSRepository

Other logging output exists, but seems to have been successful.
Currently, I have been trying to setup our environment as close to your testing environment as possible but are unable to create a successful deployment.
Is there any steps that can be taken to resolve this issue?

Getting error, can you update ami?

API: ec2:RunInstances Not authorized for images: [ami-a630f9db]

The max length of the DomainDNSName parameter varies across templates. For Example ad-master-3 and ad-1 templates has a max length of 255 but the ad-master-1 and ad-master-2 template has the max length of 25. I think a restriction of max length 25 is low for DomainDNSName.

ad-master-1 template

    "DomainDNSName": {
        "AllowedPattern": "[a-zA-Z0-9\\-]+\\..+",
        "Default": "example.com",
        "Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com",
        "MaxLength": "25",

ad-master-3 template

"DomainDNSName": {
"AllowedPattern": "[a-zA-Z0-9\-]+\..+",
"Default": "example.com",
"Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com",
"MaxLength": "255",

Hi, several links in the Launch the Quick Start table at Active Directory on the AWS Cloud
Quick Start Reference Deployment point to http://qs_launch_permalink/. For example: Deploy self-managed Active Directory into a new VPC on AWS.

These links do not function.