This topic describes how to deploy a domain controller server on an Elastic Compute Service (ECS) instance and connect an ApsaraDB RDS for SQL Server instance to the target domain.
Prerequisites
- The RDS instance runs one of the following SQL Server versions:
- SQL Server 2019 SE (general-purpose or dedicated instance)
- SQL Server 2017 EE or SE (general-purpose or dedicated instance)
- SQL Server 2016 EE or SE (general-purpose or dedicated instance)
- SQL Server 2012 EE or SE (general-purpose or dedicated instance)
- The RDS instance and the ECS instance that hosts your domain controller server reside in the same Virtual Private Cloud (VPC).
- The security group of the ECS instance is configured to allow access from the private IP address of the RDS instance. For more information, see Add security group rules.
- The private IP address of the RDS instance is allowed by the firewall of the ECS instance. The firewall is disabled by default. If you have enabled the firewall, you must configure the firewall to allow the private IP address of the RDS instance.
- The domain account belongs to the Domain Admins group because high permissions are required for a client to add a domain.
- The domain controller server uses the same IP address as the Domain Name System (DNS) server.
- You have logged on to the console by using an Alibaba Cloud account.
Background information
Microsoft Active Directory (AD) is a directory service for specific Microsoft products, such as Windows Server Standard, Windows Server Enterprise, and Microsoft SQL Server. A directory is a hierarchical structure that stores information about objects on the same local area network (LAN). AD stores information about domain accounts, such as usernames, passwords, and phone numbers. It allows authorized users on the same LAN to access its information.
AD is an important component in the Windows ecosystem. Many large enterprises use domain control to plan and implement centralized access management. Domain control is provided by Windows. It has always been a native management method for the enterprises. If you migrate all your businesses from an on-premises environment to the cloud or use a hybrid cloud architecture, make sure that the cloud supports AD for global management. AD support is a key factor to determine whether you can migrate on-premises SQL Server databases to the cloud.
ApsaraDB RDS for SQL Server enables you to connect an RDS instance to a user-created domain.
Precautions
Select a Windows version
You must deploy a domain controller server on an ECS instance that runs Windows Server. The minimum requirement for the instance operating system is Windows Server 2012 R2. We recommend that you use Windows Server 2016 or later and select English. The following sections use Windows Server 2016 as an example to describe how to deploy a domain controller server for an RDS instance.
Procedure
Deploy a domain controller server on an ECS instance
Configure a security group for the ECS instance
Configure the RDS instance
FAQ
Which RDS account can I use to connect my RDS instance to a domain? How do I control the account permissions?
We recommend that you use an account with the domain administrator permissions. If you do not want to use the domain administrator permissions, you can use the least permissions by performing the following operations. However, if you use the least permissions, you must manually remove your computer from the domain controller server when you exit the domain. Otherwise, an error is reported if you reconnect your RDS instance (the same original RDS instance) to this domain.
- After you create a user and confirming that the user belongs to the Domain Admins
group, choose
- Right-click the newly created user and select Create a custom task to delegate. Click Next.
- Select Only the following objects in the folder and the red highlighted items in the following figure. Click Next.
- Select the items as shown in the following figure. Click Next until the procedure is complete.