none
Design and deploy fresh Active Directory infrastructure - Questions

    Question

  • Hi Guys,

    We are moving our old infrastructure from hosting provider to AWS and we would like to create a new infrastructure as good as possible :) Due to this I have a lot of questions related with this. May I count on your help?

    Scenario:
    - For now around 30 windows servers (2012R2)
    - around 200 servers based on Linux

    We would like to us AD to:
    - manage access to WinServers and in future to Linux Servers and others services in whole company
    - configuration of windows servers 
    - quickly deploy a new server for example for test env etc (for developers)

    In AWS we would like to have two environments:
    - PRODUCTION
    - DISASTER RECOVERY

    I have some questions related with this:

    1) Should I create one AD or two sperarate? Use two domains? or one master and two child? DR and PROD will be in two AWS Regions. I don't want to have too large env because of administration work. 

    2) Our naming convention for hostnames will be:
    MACHINE.SERWERGROUP.AWSREGION.COMPANYNAME.COM - This will be for all our windows and linux servers. Where would you recommend me put DOMAINNAME? Or use one part of above example or hostname? 

    3) Should i use typical instance of system (EC2) or user AWS Directory Service - do you have any experience with this?

    4) What about replications between regions? 

    Thanks,
    Mateusz


    Friday, January 6, 2017 11:30 AM

All replies


    1. I have some questions related with this:
    2. 1) Should I create one AD or two sperarate? Use two domains? or one master and two child? DR and PROD will be in two AWS Regions. I don't want to have too large env because of administration work. 
    3. 2) Our naming convention for hostnames will be:
      MACHINE.SERWERGROUP.AWSREGION.COMPANYNAME.COM - This will be for all our windows and linux servers. Where would you recommend me put DOMAINNAME? Or use one part of above example or hostname? 
    4. 3) Should i use typical instance of system (EC2) or user AWS Directory Service - do you have any experience with this?
    5. 4) What about replications between regions? 
    6. Thanks,
      Mateusz


    1. To reduce Administratif effort , you can install one forest with unique domain. DR and PROD enviroment should use differents subnet. In this case  you can create two active directory sites one for PROD and the second for DR. To get more information about site and subnet you can refer to this link : Understanding Sites, Subnets, and Site Links.
    2. For Domain name convention , you should avoid use period (.) in host name . You can replace it by minus (-). so I recommand you  to choose companyname.com as domaine name and naming convention for host name : MACHINE-SERWERGROUP-AWSREGION.COMPANYNAME.COM. To get more details you can refer to Naming conventions in Active Directory for computers, domains, sites, and OUs
    3. For Active directory  replication you should link physical site by Site to site VPN, create a active directory site for each one (DR and PROD) configure site links between active directory sites to let t KCC create automatically the connection objects

    Friday, January 6, 2017 1:18 PM
  • Thanks for your response. It is really helpful.

    Do you recommend to use public domain of company as AD Domain? Will not it be a problem with dns resolving? 

    Friday, January 6, 2017 2:50 PM
  • Thanks for your response. It is really helpful.

    Do you recommend to use public domain of company as AD Domain? Will not it be a problem with dns resolving? 

    It's recommanded avoid it to simplify DNS administration .

    In fact when you use public domain for AD domain , you will have 2 separate DNS server managing the same DNS Zone with differents data.

    Friday, January 6, 2017 3:15 PM
  • Is that possible to obtain somehow FQDN like SERVERNAME.GROUPNAME.AWSREGION.AD.DOMAIN.COM?

    We have this naming convention for our Linux machines and we would like to have the same for Windows. 

    Monday, January 9, 2017 1:21 PM
  • Unfortunately, you can't, the only way to have this schema is to deploy child domain which is not recommended in your situation.

    find below the naming rules:

    DNS host names

    Allowed characters
    DNS names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.

    In the Windows 2000 domain name system (DNS) and in the Microsoft Windows Server 2003 DNS, the use of Unicode characters is supported. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will be passed to the servers that use non-Microsoft implementations of DNS.

    For more information, visit the following non-Microsoft Web sites:
    Disallowed characters
    DNS host names cannot contain the following characters:
    • comma (,)
    • tilde (~)
    • colon (:)
    • exclamation point (!)
    • at sign (@)
    • number sign (#)
    • dollar sign ($)
    • percent (%)
    • caret (^)
    • ampersand (&)
    • apostrophe (')
    • period (.)
    • parentheses (())
    • braces ({})
    • underscore (_)
    • white space (blank)
    The underscore has a special role, as it is permitted for the first character in SRV records by RFC definition, but newer DNS servers may also allow it anywhere in a name. For more details, see: http://technet.microsoft.com/en-us/library/cc959336.aspx.

    More rules are:
    • All characters preserve their case formatting except for American Standard Code for Information Interchange (ASCII) characters.
    • The first character must be alphabetical or numeric.
    • The last character must not be a minus sign or a period.

    Monday, January 9, 2017 1:35 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 13, 2017 9:14 AM
    Moderator
  • Thank you for all responses. Creation process is still in progress so I'll have more questions in future.

    For now: One questions. 

    Between sites I have to have communication via VPN. 

    Will it be sufficient if I'll create VPN one-to-one between domain controllers (instead of site to site)? 

    Then, joined computers can communicate to their local domain controller and they don't have access to "main" domain controller in another locations. And local domain controller can communicate to "main" domain controllervia VPN. Is that possible? We don't want case once joined computers will have access to network with main domain controller. 

    Sunday, January 22, 2017 6:57 PM
  • This not the correct way to do that, when you have branches you have to configure active directory Sites and Services to prevent any branch user from contacting the main DC. and It is not recommended to create VPN one to One between DC's, but technically it will work if every DC has 2 NIC (Internal and External).

    the best practice to have site 2 site.

    useful link:

    https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/

    Tuesday, January 24, 2017 5:44 AM
  • Hmm, is there any other way to connect two AWS regions into one Active Directory? I thought that VPN between domain controllers could be good. 
    Friday, January 27, 2017 11:50 AM
  • Hi,
    I am sorry that regarding to connect two AWS regions into one Active Directory, there is no more such information found based on my research.
    As Mohammed Smadi said, if you create VPN one to One between DC's for connecting two AWS regions, then every DC seems to need 2 NICs, however, it is not suggested to do that, please see details from: https://support.microsoft.com/en-us/help/272294/active-directory-communication-fails-on-multihomed-domain-controllers
    And if you do it, maybe, many unknown issue might happen, but you could have a try and please make sure to test firstly and do backup for everything. And in the deployment process, you could also contact to open up a case with Microsoft Technical Support to see if they could offer remote support: https://support.microsoft.com/en-us/contactus/?ws=support
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 30, 2017 3:50 AM
    Moderator