chanciturnervgt2

Resetting Windows Server Identity Settings via AWS Application Migration Service Post-Launch Automation

by

VGT2 Las Vegas
in

Resetting Windows Server Identity Settings via AWS Application Migration Service Post-Launch AutomationLearn About Amazon VGT2 Learning Manager Chanci Turner

Amazon IXD – VGT2
6401 E HOWDY WELLS AVE LAS VEGAS NV 89115

Migration strategies such as rehosting—or lift and shift—enable the rapid transfer of applications to the cloud without necessitating changes to the applications themselves. The AWS Application Migration Service (AWS MGN) facilitates these rehost migrations by creating a replica of the source disk, including the operating system and its configuration settings. These configurations encompass vital elements like the server’s hostname and its relationship with other systems, such as Microsoft Active Directory for Windows servers. If a new Amazon Elastic Compute Cloud (Amazon EC2) instance is initiated with the same hostname and is connected to the same Active Directory domain while the original source server remains active, conflicts may arise concerning DNS and Active Directory trust relationships. Some customers may seek to dissociate from the Active Directory domain and modify the hostname of their Windows servers to enable online testing or to launch multiple instances of the same application.

In this post, I’ll guide you through the process of configuring AWS MGN to safely launch Windows servers within a specially isolated Amazon Virtual Private Cloud (Amazon VPC). Additionally, I will demonstrate how the post-launch actions feature of AWS MGN automates the dissociation from Active Directory and facilitates hostname changes. Lastly, I will outline the steps to create an Amazon Machine Image (AMI) after removing a server from Active Directory, allowing new instances to be launched within a connected VPC or integrated into an Amazon EC2 Auto Scaling Group.

Solution Overview

  1. Application Migration Service replicates the source server and initiates a test Amazon EC2 instance in an isolated VPC. (Refer to the prerequisites section)
  2. An AWS Systems Manager document (SSM document) will remove the server from the Active Directory domain and optionally change the hostname. Note: This action does not delete the computer object from Active Directory.
  3. An AMI is generated to launch additional test instances that can be incorporated into an Amazon EC2 Auto Scaling Group.
  4. New instances are initiated in a connected VPC, enabling online testing to be performed.

Prerequisites

This blog assumes that you have successfully replicated the source server and that its lifecycle status is “Ready for testing.” You need an isolated VPC to safely reconfigure the instance, which must not be reachable by an Active Directory domain controller. A sample AWS CloudFormation template is available to create a VPC, along with restricted Amazon EC2 Security Groups and the necessary VPC endpoints for enabling communication with AWS Systems Manager. Launch this stack in your AWS account and take note of the stack outputs for VPC, Subnet, EC2 Security Group, and EC2 Instance Profile for the following steps. While other methods can achieve an isolated server, such as restricting egress via the security group, this template provides a straightforward approach.

Configure the Launch Template

From the Application Migration Service console, select one of your source servers. Under the launch settings tab, click Modify to edit the EC2 Launch Template associated with your migrated server. Adjust the Subnet, Security Group, and AWS Identity and Access Management (IAM) Instance Profile to reflect the outputs from the CloudFormation stack or equivalent resources within your environment. Set the default template version to the one you’ve just created.

Implementation

  1. Create SSM Automation Document
    In the AWS Systems Manager console, select Documents from the navigation pane. Click Create document, and from the dropdown, choose Command or Session. Enter a document name, such as Reset-Identity, and select YAML as the document content. Copy the contents from reset-identity.yml and choose Create document. This SSM automation document will be visible under the Owned by me tab and is exclusive to your AWS Account.
  2. Activate Reset-Identity Post-launch action
    Post-launch settings must be activated on the post-launch template page. In the Application Migration Service console, navigate to Source Servers, select the source server for configuring post-launch settings (this can also be set as a template for all newly added servers). Click Post-launch settings, then Create action. Provide a name for the action and ensure ‘Activate this action’ is checked. For the Systems Manager document name, select the SSM automation document you created, such as Reset-Identity, and enter the Action Parameters:

    • Workgroup: Name of the workgroup (default is Workgroup)
    • Hostname: New hostname for the server (leave blank to retain the current hostname)
    • Restart: Whether the server will reboot after the automation runs (default is false)

    Ensure the Order number is set correctly, as two automation documents require execution in a specific order; this number should be lower than the subsequent action, e.g., 1001. Click Add action when finished.

  3. Create Post-launch action for Amazon Machine Image (AMI)
    AWS MGN includes a predefined post-launch action called Create AMI from instance; however, due to its fixed order number, you will need to create a new action. On the Post-launch settings page for your selected Source Server, click Create action. Enter an Action name, such as Create-Custom-AMI, and for the Systems Manager document name, select AWS-CreateImage. Ensure the Order number is higher than that of the previously created Reset-Identity action, e.g., 1002, and click Add action.
  4. Launch Test Instance
    In the Application Migration Service console, select a source server for launching a test instance and choose Launch test instances from the Test and cutover dropdown. Monitor the migration lifecycle status from the Migration dashboard page; the post-launch action status will be displayed.

After the test instances are launched and removed from the Active Directory domain, an Amazon Machine Image (AMI) will be created. This allows for new VM launches in a connected VPC or integrated into an Amazon EC2 Auto Scaling Group. The AMI’s ImageId can be retrieved by selecting Create AMI from instance on the migration dashboard.

Note: After detaching the server from Active Directory, a local user account will be necessary for login. Ensure you have the right credentials available.

For additional resources on employee onboarding during challenging times, check out this excellent resource from SHRM, and for mental health insights, this blog post on mental health books is worth a read.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *