Sprint 3 Documentation - drewwbikk/capstone GitHub Wiki

Create a DHCP options set in AWS VPC

This is necessary to broadcast domain and DNS information out to the instances on the VPC.

Navigate to the VPC console -> DHCP option sets -> Create DHCP options set. Then, enter the Domain name, and the Domain name servers (make sure to enter ad02's IP as a backup DNS, since that will be set up soon).

image

Then, associate this new DHCP options set with your VPC (under Actions).

Now, when the instances` DHCP addresses are renewed, they will obtain the new DNS and domain information, allowing them to access DNS.

Add ad02 to the domain

First, we must create AD sites and subnets for both the local and remote locations. Open Active Directory Sites and Services for ad01 (do this on mgmt01). First, create a new site.

image

Then, rename the default site to Premise.

Now, create two new subnets.

image image

Launch server manager on ad02. Then, click on the Workgroup to enter the System Properties. Then, change the Computer name to ad02-yourname and add it as a member of yourname.local.

image

:bulb: Note: If you get an error, it is likely the firewall on ad01 is blocking a port necessary. Run PortQryUI and run the Domains and Trusts query pointed at ad01. image

Once you restart, use RDP the RDP file to log into the instance again, but use "Other User" and log in via a domain user.

image

Add ad02 as a managed server on mgmt01

In server manager, add ad02 as a managed server.

image

image

Install the ADDS role on ad02

Add Roles and Features -> select ad02 -> choose Active Directory Domain Services role (check Install Applicable Management Tools) -> Install.

Then, the server must be promoted to a domain controller. Default options should be fine here. Just make sure it's set in the AWS site.

image

Add DNS for AWS

Be sure that DNS has been replicated to ad02. It may take some time after promoting it to a domain controller, but it should replicate. All A records can be located in the same Forward Lookup Zone. However, a separate Reverse Lookup Zone must be created for PTR records in the 192.168.0.0 subnet.

To do this, open DNS manager, select one of the Domain Controllers, and right-click on Reverse Lookup Zones. Add a new zone.

image

When done, go into the Forward Lookup Zone and update the PTR for ad02. It will automatically add the PTR record into the new reverse zone you just created.

image

It will take some time for the new zone to replicate over to the other domain controller. Now is a good time to add ad02 as a secondary DNS server in the on-premise DHCP.

image

Remember to also update any machines that are statically assigned IP addresses (they won't use DHCP to get this info!).

Now is also a great time to add the VPN A records, and the web02 A record.

:bulb: If you need to force replication, you can do this in Active Directory Sites and Services. Go to the Premise Site and Expand Servers -> ad01 -> NTDS Settings. Then, right-click the connection object, and click Replicate Now.

image

Lastly, we will need to redo our DHCP options set for our VPC in AWS to set ad02 as the primary DNS server on that subnet.

Deploy and domain join an instance on AWS

In AWS, deploy a new EC2 instance running CentOS 7 on a t2.micro instance (There are no Windows 10 AMIs available, only server AMIs. If you want to create your own AMI from a VMWare image running Windows Desktop, you can.). Be sure to put it on the correct VPC and subnet. Create a new security group for general workstations as well (I named mine wks-sg).

:bulb: Note: You have a couple of options here. Now that the site-to-site VPN is working, you could connect to this instance solely by private IP. Or, you can also associate an Elastic IP with it.

Joining a CentOS machine to a domain

Use the following command to install the packages needed:

sudo yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd

Use the following command to join the linux server to the domain:

realm join [email protected] yourdomain.local

Be sure to make the domain capital letters in order to help realm discover the domain correctly.

Use the following command to check if the domain join was a success. If it is, you will see your domain's details in the output:

realm list

image

image