Cloning Domain Controllers (DCs) within single VPCs is often a trivial matter. Proper planning, a few PowerShell cmdlets, and you’re there.
However, what if you want to clone a DC in an AWS environment, to a completely isolated environment?
And within a different account?
Recently, a Xello client wanted to clone two Domain Controllers from one AWS account (in this instance, their production environment), to another AWS account (a new test environment). An important distinction is they’re two different accounts, not simply in different VPCs under the same account.
At a high level, cloning a Domain Controller in AWS is no different from cloning or taking an image of any EC2 instance. Our experts have taken the time to walk you through the process in our guide - read below for more.
How to clone a domain controller in AWS
Before we begin, this article assumes that you have a working technical knowledge of AWS, and Active Directory.
- Multiple AWS Accounts (two in this scenario)
- A Domain Controller (in this scenario)
In this post we will cover:
- Cloning of a Domain Controller
- Renaming Domain Controller
- Seizing FSMO roles
- Metadata clean-up
You may, however, wish to perform the above points differently depending on your unique requirements.There’s no need to run Get-ADDCCloningExcludedApplicationList and the cmdlets that follow, in this case.
The first step is to turn off (stop) the EC2 instance which corresponds to your Domain Controller if possible.
If not, you can still go ahead and copy the image; however, AWS will not guarantee the integrity of the File System.
To copy the instance:
- Select the instance you wish to copy, click the Actions menu, click Image, and select Create Image.
- Define the images settings, then click on Create Image.
- After the image has been created, you will need to copy it to the other AWS account - this can be achieved by obtaining the AWS account number (under My Account).
- After the AMI is copied, you will need to modify the permissions. Select the image, and choose Modify Image Permissions from the Actions menu.
- Modify the Image Permissions, and add the AWS Account number associated to the target account. Click Save.
6. When the image permissions have been modified, they will appear in the list of AMIs in the other AWS Account. As this was a “Private” image, you will have to select “Private Images”.
- Select the image, and click on Launch. This is a standard EC2 instance.
As this is a clone of a previous instance, if you have a static IP addresses assigned (and you should) you will not be able to access the EC2 instance from the private IP address if you have a VPN or DirectConnect session established.
In this case, you could either assign it a temporary public IP, or attach a temporary secondary NIC.
Once connected to the newly-created EC2 instance using existing credentials; for instance, Local Administrator or Domain Admin. You can then change the Primary IP address on the Primary NIC.
Alternatively, you can define the IP whilst launching the EC2 instance.
FSMO roles are important to make sure your Domain Controller is working properly. If you copied a non-primary domain controller, or a DC that doesn’t hold the FSMO role, then you will need to seize the FSMO roles.
Prior to that, ensure appropriate site(s) and subnet(s) for your new environment are created (via Sites and Services).
Do not rename the DCs prior to renaming the domain if you have cloned multiple DCs.
You can however, rename the DC that will hold the FSMO roles.
Make sure to perform a metadata clean-up by removing the decommissioned sites and services.
We hope you’ve found this informative. Should you have any questions or feedback, please leave a comment below.