tag:blogger.com,1999:blog-4678665813258338251.post6551167669670944733..comments2022-04-01T05:16:10.632-06:00Comments on The SysAdmin's Water Cooler: AWS - Auto join EC2 Windows instance to Active Directory DomainArpionihttp://www.blogger.com/profile/05852441317627424950noreply@blogger.comBlogger30125tag:blogger.com,1999:blog-4678665813258338251.post-22172861702076853802019-01-24T19:05:29.576-07:002019-01-24T19:05:29.576-07:00The IP address is provided by AWS and is the same ...The IP address is provided by AWS and is the same for all AWS EC2 instances. So you will require that to remain as it.<br /><br />I'm not for certain if you can leave the OU blank. I think you may leave OU= out entirely, and it will place it into the default Computers OU.<br /><br />Yes, you should be able to add the DNS configuration to the either the UserData or PowerShell script. Or you can update your VPC DHCP option set instead.<br /><br />Hope that helps.Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-17193693691035668032019-01-17T09:50:34.218-07:002019-01-17T09:50:34.218-07:00Ryan,
A few questions about your script. The...Ryan,<br /><br /> A few questions about your script. The ip address, is that something I have to set for my network that I am on, or is it an actual ip address for AWS? Also, I do not really have an OU, so do I just use OU= and then blank, or can I just get rid of that whole part? I also saw where you had a line you suggested for pointing to your DNS server, was that in the User Data section, or the PowerShell script? As you can probably tell, I really new to AWS. And the network I am building is not for actual use, but for folks to do vulnerability analysis on. So clear-text passwords are not a problem.Shapshttps://www.blogger.com/profile/10056448366348164582noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-49734667532172427442017-11-30T09:13:30.601-07:002017-11-30T09:13:30.601-07:00I am getting this error when I run the powershell ...I am getting this error when I run the powershell while building the server.<br /><br />"Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application."Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-25726849025712539102017-09-18T09:23:09.828-06:002017-09-18T09:23:09.828-06:00anyone having luck running this against Windows Se...anyone having luck running this against Windows Server 2016 instances?<br />i get the below error:<br /><br />retrieving the com class factory for component with clsid failed due to the following error 800703faAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-76618393831580795762016-09-26T12:35:08.408-06:002016-09-26T12:35:08.408-06:00Thanks for the feedback.
I'm curious about th...Thanks for the feedback.<br /><br />I'm curious about the 'Restart-Computer -Force', as this shouldn't be required since the Add-Computer statement contains the option to -Restart.Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-56242462257241576292016-09-25T17:15:24.068-06:002016-09-25T17:15:24.068-06:00Thanks for this. Made some modest changes to get t...Thanks for this. Made some modest changes to get this to work for me. to Line 18:<br /><br />echo $_.Exception | Out-File -FilePath "C:\Program Files\Amazon\Ec2ConfigService\Logs\error-joindomain.txt" -Append<br /><br />I added the "-FilePath". Also decided to use an existing directory over creating "c:\temp"<br /><br />Getting the -OUPath is critical. I'm connecting to a Microsoft AD and the path to "OU=Computers" is different.<br /><br />Finally I added a "Restart-Computer -Force" at the end.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-30729530325695495572016-06-30T09:33:06.002-06:002016-06-30T09:33:06.002-06:00Are you using a custom AMI? Maybe try configuring ...Are you using a custom AMI? Maybe try configuring the RDP service to Startup Delayed, as well as configuring the recovery to restart the service on failure?<br />If it's a default AWS AMI, can you provide which AMI you are using, I'd be happy to test.Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-4644408202957426262016-06-30T07:42:29.192-06:002016-06-30T07:42:29.192-06:00@Ryan - The powershell script itself has a restart...@Ryan - The powershell script itself has a restart command that reboots the box after the domain join is completed. Based on the console log I can see that the reboot is successful and I can also see from the "Get Instance Screenshot" that the server is waiting for login. But it seems that RDP does not respond at all. Even telnet to port 3389 fails. Then when I do another reboot from AWS console, I can then log onto the box without any issues, I could see that the server was joined to the domain successfully and no error messages at all. It seems there is nothing wrong with your powershell script but what is causing me heartburn is the double reboot :(.<br /><br />BTW, I really appreciate all your help. You have been super helpful :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-80067265215052588892016-06-29T16:12:05.149-06:002016-06-29T16:12:05.149-06:00When you say reboot, I'll assume you are initi...When you say reboot, I'll assume you are initiating the reboot from AWS console or CLI since you're not able to RDP to the server?<br />It sounds like something preventing the restart, what OS are you using?<br />Can you look at the EC2config log, C:\Program Files\Amazon\Ec2ConfigService\Logs\Ec2ConfigLog<br />You should be able to see in here where it or if it restarts the server,something like this: <br />2016-06-29T19:31:19.568Z: Background plugin complete: Ec2HandleUserData<br />2016-06-29T19:31:19.568Z: After ready plugins complete.<br />2016-06-29T19:31:19.568Z: Main configuration starting...<br />2016-06-29T19:31:19.599Z: Main configuration started.<br />2016-06-29T19:31:35.505Z: Ec2ConfigService stopping...<br />2016-06-29T19:31:35.505Z: stopping Main configuration<br />2016-06-29T19:31:35.505Z: stopping Legacy configuration<br /><br />Is there an exception caught from the script? c:\temp\error-joindomain.txtArpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-62843455923769444732016-06-29T15:33:19.859-06:002016-06-29T15:33:19.859-06:00@Ryan - It looks like RDP is not responding at all...@Ryan - It looks like RDP is not responding at all on that server. The System Log from AWS does not show anything out of ordinary. Telnet to 3389 to the server is failing. However, after I reboot again, everything comes back normal.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-19850764933697704712016-06-29T10:04:56.665-06:002016-06-29T10:04:56.665-06:00What error do you receive when you try to logon an...What error do you receive when you try to logon and it fails?<br />Have you confirmed it is indeed restarting the server via the script? You should be able to review the logs within the AWS console: Actions>Instance Settings>Get System Log and notice the restart event or possibly any errors.<br />Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-56706415820366002512016-06-28T22:16:05.684-06:002016-06-28T22:16:05.684-06:00Ryan, for the most part this works well except, af...Ryan, for the most part this works well except, after joining the domain, I have to reboot the server twice. As you know, the script itself reboots it once but then I am not able to log onto the server without rebooting it again. Any ideas?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-27964925284772015722016-05-27T07:49:24.436-06:002016-05-27T07:49:24.436-06:00True that could potentially decompile it, but they...True that could potentially decompile it, but they would need access to the exe file to do that, vs simply retrieving the password from plain text in the UserData.<br />I do like your suggestion of restricting the AD account. This would add another layer of security. Thanks for providing the input!Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-48755942906769669972016-05-26T19:55:32.711-06:002016-05-26T19:55:32.711-06:00I don't disagree with your logic, but a simple...I don't disagree with your logic, but a simple hex editor/decompiler is all anyone needs to retrieve that password. We got around this by creating an AD account whose sole permission is to add/remove systems from the directory in a specific OU. Not 100% bullet proof, but it's something.ramzhttps://www.blogger.com/profile/09023086770868980058noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-53073952686693024522016-05-25T11:40:56.244-06:002016-05-25T11:40:56.244-06:00ramz,
You can put the script into the UserData, ...ramz,<br /> You can put the script into the UserData, but I wanted a process that would not allow the password to be retrieved. UserData may be retrieved from the instance or the console and it is not protected by cryptographic methods. Therefore it is advised to not store passwords within the UserData.Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-16099376643844450392016-05-24T19:27:20.511-06:002016-05-24T19:27:20.511-06:00I'm sure you had a valid reason for not doing ...I'm sure you had a valid reason for not doing so, but I'm not sure I understand why you just didn't put the contents of the JoinDomain.PS1 script into the UserData for the launched instance. Would you mind explaining that? Thanks!ramzhttps://www.blogger.com/profile/09023086770868980058noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-60459855651998168252016-05-10T12:48:45.323-06:002016-05-10T12:48:45.323-06:00This worked perfectly for me. As a newb, I will sa...This worked perfectly for me. As a newb, I will say the fact that I had a $ in the password appeared to be the primary issue. I kept getting a "username or password incorrect" in my error output file, and the script in ISE was showing different colors during and after the $ within the quotation marks. I didn't want to alter my admin password, but once I swapped users with a password that contained normal characters and made it admin, everything went almost perfectly.<br /><br />The only other issue I had appeared to be with the OUpath option. I got an error about not being able to find the file. I attempted to just run the "Add-computer" command and kept getting that error. Once I removed -OUpath, it worked for me. I'm in 2012 R2, so I'm not sure if that had anything to do with it, may have also have been my OU choice, but since I wanted it in the Computers OU anyway, I just left it blank (for now).<br /><br />Regardless, tested it with auto-scaling successfully. I'd like to add more to the script eventually but this is a fantastic starting point for me. Thanks for the write up.Anonymoushttps://www.blogger.com/profile/00072061089056095076noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-5281968195194460422016-05-05T12:42:09.862-06:002016-05-05T12:42:09.862-06:00I have not seen that error either.
It could be th...I have not seen that error either. <br />It could be the Catch statement with the Out-File having a problem.<br />Can you run the powershell on the machine manually, and see if you get any errors? Remove the Try/Catch so you can see the error.Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-42118360729293609172016-05-05T09:19:49.309-06:002016-05-05T09:19:49.309-06:00Hey Ryan
I followed all of the steps listed above...Hey Ryan<br /><br />I followed all of the steps listed above. Got the following error:<br /><br />Computer 'WIN-M339MVHD83P' failed to join domain 'domain.local' from its current workgroup 'WORKGROUP' with following error message: The system cannot find the file specified.<br /><br />What file is it looking for?<br /><br />MikeAnonymoushttps://www.blogger.com/profile/11387167000710518761noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-54918428195065558082016-05-05T09:17:06.339-06:002016-05-05T09:17:06.339-06:00Hey Ryan
I am testing this out for our company an...Hey Ryan<br /><br />I am testing this out for our company and ran into a few issues which I have conquered most of them except joining the domain. I get the following error:<br /><br />Computer 'WIN-M339MVHD83P' failed to join domain 'domain.local' from its current workgroup 'WORKGROUP' with following error message: The system cannot find the file specified.<br /><br />I don't know what file it would be looking for. I followed every step listed.<br /><br />MikeAnonymoushttps://www.blogger.com/profile/11387167000710518761noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-41409306985893686772016-04-14T05:29:53.462-06:002016-04-14T05:29:53.462-06:00Azhagiri,
Is the DNS settings for your instances...Azhagiri,<br /> Is the DNS settings for your instances pointing to your DNS servers for the Domain or AWS? If its pointing to AWS default .2, then you need to configure the DHCP option set for your VPC or you can add this command to the beginning of your script, modify the IPs to reflect your DNS servers:<br /><br />Set-DnsClientServerAddress -InterfaceIndex 12 -ServerAddress (\"10.0.0.10\",\"10.0.0.11\")<br /><br /><br />Also, please note that by putting the script with the password as plaintext in the UserData is not secure. Anyone with access to the server can retrieve this information via the metadata. I'd highly recommend not using this approach.<br /><br />Thank you<br />RyanArpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-50630136012704113192016-04-13T20:21:54.400-06:002016-04-13T20:21:54.400-06:00Hi Ryan Lawyer ,
I have used your script for my s...Hi Ryan Lawyer ,<br /><br />I have used your script for my scenario by not lucky.<br /><br />Scenario:<br />I have 2 windows instance which is under ELB and they are in AD. Here I am using Autoscaling. When new machine coming up it should automatically join to the AD.<br /><br />What is Tried:<br />I have manually tried your script for testing purpose. I have launched the new instance with your script provided in the user data script box. But the machine not added to the AD. <br />Script which I have tried:<br /><br />$username = "example\username"<br />$password = "Password" | ConvertTo-SecureString -AsPlainText -Force<br />$cred = New-Object -typename System.Management.Automation.PSCredential($username, $password)<br />Try {<br />Add-Computer -DomainName example.com -OUPath "OU=Computers,DC=babajob,DC=com" -Options JoinWithNewName,AccountCreate -Credential $cred -Force -Restart -erroraction 'stop'<br />}<br />Catch{<br />echo $_.Exception | Out-File c:\temp\error-joindomain.txt -Append<br />}<br /><br /><br />My expectation:<br /><br />I want the new server to be added as fast as possible to the AD while launching. Kindly help meAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-75845943290441088432016-03-14T19:43:18.641-06:002016-03-14T19:43:18.641-06:00Rafiq,
I normally compile my script without the ...Rafiq,<br /> I normally compile my script without the '-x64 -runtime30' options. I just tested it compiling this way and it still worked for me, using AMI Windows_Server-2012-R2_RTM-English-64Bit-Base-2016.02.10 (ami-3586ac5f)<br /><br /> Have you been able to test this using an AMI from AWS that hasn't been customized?<br /> I'm curious if the AMI creation process that you are using is causing some sort of issue.<br /><br /> Can you share both the complete UserData as well as the Powershell script you are compiling? Please replace any private data with obscure data instead. <br /><br />Ryan<br /> Arpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-1265247149006608302016-03-14T15:36:49.716-06:002016-03-14T15:36:49.716-06:00Hi Ryan,
I compiled the script using '-x64 -r...Hi Ryan,<br /><br />I compiled the script using '-x64 -runtime30'. And, I did not deinstall .NET 4.5 but when I go to add server role on the AWS AMI created instance, I do not see that .NET 4.5 is installed.<br /><br />The account has the right permission since when I use it with the pure powershell script in the User Data, then it works.<br /><br />'Shutdown with Sysprep' will not work for us because we want to retain the local administrator password which is not retained in Windows 2008 and higher.<br /><br />In order to make the script working for the second time it needed 'UserData Execution for the next service start' enabled in the EC2 Service Properties (C:\Program Files\Amazon\Ec2ConfigService\Ec2ConfigServiceSettings.exe) before shutting it down for creating a custom AMI. The problem was that, if we turn this master instance up again for any modification, it is joined to the domain by the UserData scripts copied in it. To overcome that I just placed a check to see that this is not the master instance before trying to joining to the domain.<br /><br />If the executable does not run because of the absence of .Net, then c:\temp\error-joindomain.txt would not have anything. On the other hand, "echo $_.Exception | Out-File ..." did not work but "$_.Exception | Out-File ..." did.<br /><br />If you find anything about the .NET issue, please let us know.<br /><br />Thanks -RafiqAnonymoushttps://www.blogger.com/profile/08104434155604410134noreply@blogger.comtag:blogger.com,1999:blog-4678665813258338251.post-70905371214326272702016-03-11T18:02:15.628-07:002016-03-11T18:02:15.628-07:00Rafiq,
I am using the same AWS AMI and it works ...Rafiq,<br /> I am using the same AWS AMI and it works with no additional configurations. Is the user account that you are using to join to the domain have proper permissions to add computers?<br /><br /> The AWS AMI has .NET 4.5 installed by default. If you are creating your own custom AMI and disabling .NET that could cause an issue, I'd have to test that scenario. Also, if you are creating a custom AMI you will probably need to specify to 'Shutdown with Sysprep'.<br /><br /> Is there anything in the log file, per your script, c:\temp\error-joindomain.txt ?<br /> There may be a log generated in the event log as well.<br /><br />RyanArpionihttps://www.blogger.com/profile/05852441317627424950noreply@blogger.com