Deploy Active Directory (AD) Domain Services on ECS to centralize identity verification, authorization, and policy control.
How it works
-
Domain Controller (DC): Runs Active Directory Domain Services and DNS. Serves as the core of domain authentication and resolution. Requires a static private IP address for service continuity.
-
Client: An instance that joins the domain. Its DNS server points to the domain controller, enabling domain policy management and unified identity verification.
-
Network: The domain controller and client reside in the same VPC and vSwitch, communicating over the private network.
Procedure
Preparations
Create two ECS instances in the same VPC: one as the domain controller (DC) and the other as the client. This example uses Windows Server 2016 with the following configurations:
-
VPC CIDR block:
172.31.0.0/16 -
Domain Controller (DC) IP:
172.31.106.88(static private IP) -
Client IP:
172.31.106.87(static private IP) -
Root domain name:
example.com
Do not deploy a new domain controller from a custom image of an existing one. If you must, ensure the new instance has the same hostname as the source, or change the hostname after creation.
Step 1: Deploy the domain controller
-
Log on to the domain controller ECS instance.
-
Go to the ECS Instances page. Select the resource group and region of the target instance.
-
On the details page of the target instance, click Connect > Workbench. Set the connection method to Terminal, enter your username and password, and log on.
-
-
Install the AD Domain Services and DNS Server roles.
-
Right-click the
icon, click Run, enter servermanager.exe, and press Enter to open Server Manager. Click Add Roles And Features. -
On the Installation Type and Server Selection pages, keep the defaults and click Next.
-
On the Server Roles page, select Active Directory Domain Services and DNS Server, then confirm to add them.
AD Domain Services rely on DNS for name resolution and service location. The installer automatically configures the local DNS server and creates the required DNS zones and records. If DNS runs on another server, you must manually configure zone delegation, add AD-related DNS records, and ensure network connectivity.
-
Click Next until you reach the Install page. Click Install. After installation completes, click Close.
-
-
Promote the server to a domain controller.
After installing the roles, promote the server to a domain controller.
-
In the upper-right corner of Server Manager, click the yellow exclamation mark icon and select Promote this server to a domain controller.
-
On the Deployment Configuration page, select Add New Forest and set the Root Domain, such as
example.com. -
On the Domain Controller Options page, set the Directory Services Restore Mode (DSRM) password. Store this password securely; it is used for disaster recovery.
-
On the DNS Options page, click Next.
You can ignore the delegation warning. It appears because the wizard attempts to contact a parent DNS zone, but no parent zone exists for the root domain of a new forest. This does not affect domain controller functionality.
-
On the Other Options page, a NetBIOS domain name (such as
EXAMPLE) is auto-generated. Click Next. -
Keep the defaults for the remaining steps. When the Prerequisite Check passes, click Install. The server automatically restarts after installation.
-
-
Verify the domain controller status.
After the restart, reconnect to the instance. Right-click the
icon, click Run, enter control system, and press Enter. Verify the computer name and domain. If correct, the installation succeeded.Open Control Panel > System and Security > System. In the Computer name, domain, and workgroup settings area, verify that the Domain field shows
example.com. This confirms the domain controller is successfully deployed.
Step 2: Join the client to the AD domain
After deploying the domain controller, join the client instance to the domain for centralized management.
-
Log on to the client ECS instance.
-
Go to the ECS Instances page. Select the resource group and region of the target instance.
-
Go to the details page of the target instance. Click Connect > Workbench. Select Terminal, enter your username and password, and log on.
-
-
Configure the client DNS.
Set the client's DNS server address to the private IP address of the domain controller so it can resolve the domain and locate the DC.
-
Right-click the
icon, click Run, enter ncpa.cpl, and press Enter to open Network Connections. -
Right-click Ethernet > Properties. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Select Use the following DNS server addresses and set the DNS server address to the domain controller IP from Step 1.
-
-
Join the client to the domain.
-
Right-click the
icon, click Run, enter control system, and press Enter. In the Control Panel > System and Security > System page, in the Computer name, domain, and workgroup settings area, click Change settings. -
In the System Properties dialog box, on the Computer Name tab, click Change.
-
On the Computer Name/Domain Change page, enter the AD domain information.
Enter the root domain name set in Step 1: Deploy the domain controller, for example,
example.com. -
Restart the server for the changes to take effect.
-
-
Verify the domain join status.
Right-click the
icon, click Run, enter control system, and press Enter. If the full computer name and domain name include the AD root domain, the client has joined the domain successfully.After setting up the AD domain and joining a client, you can perform operations such as creating users and organizational units. See Active Directory Domain Services Overview.
Ensure the domain controller always uses a static IP address. If its IP changes, clients with the cached old IP will fail to connect, causing domain authentication failures. You must manually update the DNS server configuration on all clients to point to the new IP address of the domain controller.
FAQ
How do I fix the "The security database on the server does not have a computer account for this workstation trust relationship" error?
Cause: The trust relationship between the domain member ECS instance and the Domain Controller (DC) is broken. Possible reasons:
-
Snapshot recovery: The instance was reverted to an old snapshot, causing the locally stored machine password to mismatch the AD password.
-
SID conflict: Multiple instances were created from a custom image without running Sysprep, resulting in duplicate computer names or SID conflicts.
-
Long-term offline status: The instance was shut down or disconnected for more than 30 days, causing the machine account password to expire.
-
Accidental deletion in AD: An administrator manually reset or deleted the computer account.
Solution:
Solution 1: Quick repair with PowerShell (Recommended)
Repairs the secure channel online without leaving the domain.
-
Log on to the ECS instance with a local administrator account.
-
Run the following PowerShell command as an administrator:
Test-ComputerSecureChannel -Repair -Credential (Get-Credential) -
In the pop-up window, enter domain administrator credentials.
-
Verify the result:
-
If it returns True, the repair succeeded. Restart the instance to restore domain account logon.
-
If it returns False or an error occurs, proceed to Solution 2.
-
Solution 2: Leave and rejoin the domain
-
Log on to the ECS instance with a local administrator account.
-
Leave the domain:
-
Right-click This PC, select , then click Change.
-
Change the membership to Workgroup (for example, WORKGROUP).
-
Enter domain administrator credentials to confirm. After the operation succeeds, restart.
-
-
Reset the computer account: On the domain controller, locate the computer account, right-click it, and select Reset Account.
-
Rejoin the domain:
-
Go to the Computer Name/Domain Changes window again.
-
For Member of, select Domain and enter the domain name.
-
Enter domain administrator credentials to confirm. After the operation succeeds, restart.
-
-
After the restart, verify the error is resolved.
What should I do if the error "The domain join cannot be completed because the SID of the domain you attempted to join was identical to the SID of this machine" appears when joining a client to an AD domain?
Cause: Multiple ECS instances created from the same custom image share the same computer SID and computer name. When one instance communicates with the domain controller, other instances with the same SID cause conflicts, breaking the trust relationship.
Solution:
Use the Windows System Preparation (Sysprep) tool to regenerate the SID.
-
On the ECS instance, locate
Sysprep.exe, typically atC:\Windows\System32\Sysprep. -
Run
Sysprep.exeas an administrator, select the Generalize option, and click OK. -
After the system restarts, the SID is regenerated. Try joining the AD domain again.