Automatic creation of a highly available domain using CloudFormation in AWS

Build the environment

In this new blog post, our colleague José Antonio Gallardo will explain in detail some of the AWS native tools, which make available to users a new range of capabilities in terms of automation, this, added to the easy replication of environments through infrastructure such as code, and the use of native cloud tools to ensure high availability, greatly simplify the management of tasks that previously had a complex solution. 

One of these tasks is the creation and management of Windows domains in High Availability, the deployment of these domain controllers is the fundamental pillar on which architectures of remote desktop collections are based. Usually, these collections manage the remote tasks of a large number of people from the same environment, therefore, they are environments where availability and elasticity are critical characteristics. 

AWS offers its users a series of Cloudformation templates, which, supported by the Microsoft management tool, Powershell DSC (Desired Status Configuration), capable of managing the roles and characteristics of the instances through the use of Powershell, allow raise a high availability environment with two domain controllers (DC), hosted on different subnets. 

Once we have generated our network infrastructure capable of supporting HA, we will launch the following cloudformation template and indicate on it the following parameters: 

  • Network parameters: Here we will indicate the CIDR and ID of our VPC and the ID of the public subnets to be used: 

  • Instance configuration: Where we will select the type of DC instance, its NetBIOS name and private IP address, the key pair needed to obtain the local administrator’s password for the instances and the version of Windows whose updated AMI should look for Amazon System Manager. 

  • Quick-Start domain and bucket configuration: Here we will configure the domain-related elements (User / Password, DNS and NetBIOS) and the bucket where the configuration managers necessary to configure the machines will be stored: 

Once we have configured the parameters to our liking, AWS Cloudformation will transparently perform the following tasks to lift the environment: 

  1. Create a series of AWS Systems Manager documents, which, supported by Powershell DSC, will manage the installation and configuration of the necessary roles (Active Directory Domain Services and Active Directory DNS) in the instances that will act as a domain controller and store the data sensitive in secret stores like AWS Secrets Manager. 
  2. Raise the instances in the designated region, displayed in the indicated AZs, with the parameters configured by the user. 
  3. Execute the documents generated in step 1, on the instances of step 2, to proceed to the configuration of the same, the need to perform tasks in the instances that require reboots and performing sequentially, involves the use of capacity Cloudformation signals, cfn-signal, to manage the complete flow of domain generation. 

Once this process is finished, we will have the following architecture formed by two domain controllers deployed to ensure high availability: 


Once we have this base structure, it is possible to deploy high availability infrastructures for the management of a group of remote desktop collections, capable of scaling on demand, thus providing the desired scalability and high availability: 

Related Posts