3

I'm using AWS and have a VPC which is connected to the local network via a VPN. I can launch EC2 instances, put them in various subnets in various AZ's and connect to them via internal IP.

I can also join them to the local domain.

However, I want to be able to automatically put them into specific groups within the AD domain, based on their IP address, when they join the domain.

Therefore, when I create a new instance of my image it will be joined to the domain and because it has a particular IP address, will be added to a certain group.

Piers Karsenbarg
  • 548
  • 3
  • 12
  • 24
  • Yes, it's possible. What are you using to auto-join these instances? – HopelessN00b Feb 13 '14 at 17:40
  • I'm pre-empting this slightly. I'm still setting up servers and joining them manually, but whether automatically joined, or joined manually I'd still like it to be added to the correct group. – Piers Karsenbarg Feb 13 '14 at 17:44
  • What comes to mind immediately is a simple PowerShell script to check the IP, and conditionally add to a group on that basis. I'd do it as a scheduled task on some other computer. Poll the default computers container in AD periodically, check their IPs, and add to group if applicable. You could also create a GPO to execute a group-join script on startup, and use item-level targeting or WMI filtering to only apply to your desired IP range. This would require some lax security around permissions to do that group-join, and I don't know a way to manipulate domain groups directly via GPO. – HopelessN00b Feb 13 '14 at 17:56

1 Answers1

1

I don't think IP's are the right thing to key off of here. Are you automatically launching your instances into the VPC? If so, you could tag them or give them a 'join_X_group' role that would let them talk to to your DC in that region. Even having a DHCP Options Set that would have them come up with a specific DNS server which could be your DC and then follow http://docs.aws.amazon.com/workspaces/latest/adminguide/join_a_directory.html#join_instance to join the host to a domain with a user-data script.

Alternatively, you could create a Directory (see the Workspaces panel) that replicates from your existing AD infrastructure, and join it that way.

bobmagoo
  • 452
  • 2
  • 12