Migration & Modernization
Reset Windows server identity settings using AWS Application Migration Service post-launch automation
Rehost (also known as lift and shift) is a migration strategy that allows you to quickly move applications to the cloud, without making application changes. AWS Application Migration Service (AWS MGN) is used for rehost migrations, as the service creates a copy of the source disk with the operating system and its configuration settings. These settings include attributes like the server’s hostname and association with other systems, for example Microsoft Active Directory for Windows servers. If you launch a new Amazon Compute Cloud (Amazon EC2) instance with the same hostname and joined to the same Active Directory domain while the existing source server is online, it results in DNS and Active Directory trust relationships conflicts. Some customers want to remove the Active Directory domain association and change the hostname for Windows servers, so they can perform online testing, or perform multiple launches of the same application.
In this post I’ll show you how to configure AWS MGN to safely launch Windows servers in a specially configured isolated Amazon Virtual Private Cloud (Amazon VPC). I’ll then show you how AWS MGN’s post-launch actions feature automates the removal of Active Directory domain association, and performs hostname changes. Lastly, I’ll show you how to create an Amazon Machine Image (AMI) after removing a server from Active Directory, so new instances can be launched in a connected VPC or be added to an Amazon EC2 Auto Scaling Group.
Note: If you want to do the opposite, that is join a server to an Active Directory domain during migrations, then read the blog post Automate migrated servers to automatically join an Active Directory domain using AWS Application Migration service and AWS Systems Manager
Solution Overview
Explanation of the key steps from the diagram:
- Application Migration Service replicates the source server, and launches a test Amazon EC2 instance in an isolated VPC. (See prerequisites section)
- An AWS Systems Manager document (SSM document) removes the server from the Active Directory domain, and optionally changes the hostname. Note: this action does not delete the computer object from Active Directory.
- An AMI is created to launch further test instances that can be part of an Amazon EC2 Auto Scaling
- New instances are launched in a connected VPC, so online testing can be completed
Prerequisites
This blog post assumes you have successfully completed replication of the source server and its lifecycle status is Ready for testing.
An Isolated VPC to safely reconfigure the instance
You must launch domain joined servers in an isolated VPC, which is not reachable to an Active Directory domain controller. This sample AWS CloudFormation template creates a VPC, restricted Amazon EC2 Security Groups, Amazon EC2 Instance Profile and the required VPC endpoints to enable the migrated instance to communicate with AWS Systems Manager. Launch this stack in your AWS account and take note of the stack outputs VPC, Subnet, EC2 Security Group and EC2 Instance Profile you need in the next step. You could achieve an isolated server via other methods, for example restricting egress via the security group.
Configure the Launch Template
From the Application Migration Service console, choose one of your source servers. Under the launch settings tab, choose Modify to edit the EC2 Launch Template configured for your migrated server.
Change the Subnet, Security Group and AWS Identity and Access Management (IAM) Instance Profile, to the outputs from the CloudFormation stack or equivalent resources within your environment.
Set the default template version to the version you have just created
Implementation
Create SSM Automation Document
- In the AWS Systems Manager console, choose Documents in the navigation pane.
- Choose Create document, from the dropdown select Command or Session.
- Enter a document name for example Reset-Identity.
- Choose YAML as the document content.
- Copy contents from reset-identity.yml.
- Choose Create document.
The SSM automation document is visible in the documents page, under the Owned by me tab. This SSM document is only available to your AWS Account.
Activate Reset-Identity Post-launch action
Post-launch settings must first be activated on the post-launch template page.
- On the Application Migration Service console, choose Source Servers from the navigation pane.
- Choose the source server to configure with post-launch settings (can also be configured as a Post-launch settings template to be applied to all newly added servers).
- Choose Post-launch settings.
- Choose Create action.
- Provide a name for the action, and ensure Activate this action is checked.
- For Systems Manager document name choose the SSM automation document you created, for example Reset-Identity.
- Enter values for the Action Parameters:
- Workgroup: name of the workgroup (the default is Workgroup)
- Hostname: new hostname for the server (leave blank to keep current hostname.
- Restart: if the server will be rebooted following running the automation (default is false).
- Ensure the Order number is correct – as two automation documents are to be executed in a specific order, this number needs to be lower than the action created in the following step for example 1001.
- Choose Add action when complete.
Create Post-launch action for Creating an Amazon Machine Image (AMI)
Application Migration Service comes with a predefined post launch action called Create AMI from instance, however it cannot be used as the order number is fixed, so a new action is required.
- On the Post-launch settings page for your selected Source Server, choose Create action.
- Enter an Action name for example Create-Custom-AMI.
- For Systems Manager document name choose AWS-CreateImage
- Ensure the Order number is correct – a higher number than the previously created Reset-Identity action, for example 1002
- Choose Add action.
Launch test instance
From the Application Migration Service console, choose a source server for launching a test instance, and choose Launch test instances from the Test and cutover dropdown.
Monitor the migration lifecycle status from the Migration dashboard page. The post-launch action status is displayed.
After the test instances have been launched and removed from the Active Directory domain an Amazon Machine Image (AMI) is created. This enables new launches of the VM in a connected VPC, or be part of an Amazon EC2 Auto Scaling Group. The AMI’s ImageId is retrieved by choosing Create AMI from instance from the migration dashboard (see Figure 7).
Note: After removing the server from Active Directory, a local user account is needed to login. As the SSM Agent is installed during the migration, Fleet Manager (a capability of AWS Systems Manager) can be used to manage OS user accounts.
Cleanup
The Amazon EC2 instance which was used to the create the AMI is still running. This is terminated via the Amazon EC2 console or via Application Migration Service console by choosing the “Revert to Ready for testing” option.
Conclusion
With the post-launch settings feature of AWS Application Migration Service, you can automate steps needed in the migration process. Resetting the identity settings for a Windows server enables you to safely connect an identical server to your network for online testing. The automatic creation of an Amazon Machine Image (AMI) also enables multiple launches of the application for testing or making the application part of an Amazon EC2 Auto Scaling group. See other Predefined post-launch actions which can be used by the Application Migration Service or create your own custom SSM automation documents.
Get started with AWS Application Migration Service