Netzwerkvalidierung

Bevor Sie Ihre RDS-Custom-Instanz entweder zu selbstverwaltetem oder hinzufügen AWS Managed Microsoft AD, überprüfen Sie Folgendes von einer EC2 Instance in derselben VPC, in der Sie die RDS Custom for SQL Server-Instanz starten möchten.

Prüfen Sie, ob Sie in der Lage sind, den vollqualifizierten Domänennamen (FQDN) auf einen Domänencontroller aufzulösen. IPs


nslookup corp.example.com

Der Befehl muss eine ähnliche Ausgabe zurückgeben:


Server:  ip-10-0-0-2.us-west-2.compute.internal
Address:  25.0.0.2

Non-authoritative answer:
Name:    corp.example.com
Addresses:  40.0.9.25 (DC1 IP)
            40.0.50.123 (DC2 IP)

Lösen Sie AWS Dienste von einer EC2 Instance in der VPC auf, in der Sie Ihre benutzerdefinierte RDS-Instance starten:


$region='input-your-aws-region'
$domainFQDN='input-your-domainFQDN'
 
function Test-DomainPorts {
    param (
        [string]$Domain,
        [array]$Ports
    )
 
    foreach ($portInfo in $Ports) {
        try {
            $conn = New-Object System.Net.Sockets.TcpClient
            $connectionResult = $conn.BeginConnect($Domain, $portInfo.Port, $null, $null)
            $success = $connectionResult.AsyncWaitHandle.WaitOne(1000) # 1 second timeout
            if ($success) {
                $conn.EndConnect($connectionResult)
                $result = $true
            } else {
                $result = $false
            }
        }
        catch {
            $result = $false
        }
        finally {
            if ($null -ne $conn) {
                $conn.Close()
            }
        }
        Write-Host "$($portInfo.Description) port open: $result"
    }
}
 
# Check if ports can be reached 
$ports = @(
    @{Port = 53;   Description = "DNS"},
    @{Port = 88;   Description = "Kerberos"},
    @{Port = 389;  Description = "LDAP"},
    @{Port = 445;  Description = "SMB"},
    @{Port = 5985; Description = "WinRM"},
    @{Port = 636;  Description = "LDAPS"},
    @{Port = 3268; Description = "Global Catalog"},
    @{Port = 3269; Description = "Global Catalog over SSL"},
    @{Port = 9389; Description = "AD DS"}
)
 
function Test-DomainReachability {
    param (
        [string]$DomainName
    )
    
    try {
        $dnsResults = Resolve-DnsName -Name $DomainName -ErrorAction Stop
        Write-Host "Domain $DomainName is successfully resolving to following IP addresses: $($dnsResults.IpAddress)"
        Write-Host ""
        return $true
    } 
    catch {
        Write-Host ""
        Write-Host "Error Message: $($_.Exception.Message)"
        Write-Host "Domain $DomainName reachability check failed, please Configure DNS resolution"
        return $false
    }
}
 
$domain = (Get-WmiObject Win32_ComputerSystem).Domain
if ($domain -eq 'WORKGROUP') {
    Write-Host ""    
    Write-Host "Host $env:computername is still part of WORKGROUP and not part of any domain"
    }
else {
    Write-Host ""
    Write-Host "Host $env:computername is joined to $domain domain"
    Write-Host ""
    }
 
 
$isReachable = Test-DomainReachability -DomainName $domainFQDN  
if ($isReachable) {
    write-Host "Checking if domain $domainFQDN is reachable on required ports  "
    Test-DomainPorts -Domain $domainFQDN -Ports $ports
}
else {
    Write-Host "Port check skipped. Domain not reachable"
}   
 
 
 
# Get network adapter configuration
$networkConfig = Get-WmiObject Win32_NetworkAdapterConfiguration | 
                 Where-Object { $_.IPEnabled -eq $true } |
                 Select-Object -First 1
 
# Check DNS server settings
$dnsServers = $networkConfig.DNSServerSearchOrder
 
if ($dnsServers) {
    Write-Host "`nDNS Server settings:"
    foreach ($server in $dnsServers) {
        Write-Host "  - $server"
    }
} else {
    Write-Host "`nNo DNS servers configured or unable to retrieve DNS server information."
}
 
write-host ""
 
# Checks reachability to dependent services
$services = "s3", "ec2", "secretsmanager", "logs", "events", "monitoring", "ssm", "ec2messages", "ssmmessages"
 
function Get-TcpConnectionAsync {
    param (
        $ServicePrefix,
        $region
    )
    $endpoint = "${ServicePrefix}.${region}.amazonaws.com"
    $tcp = New-Object Net.Sockets.TcpClient
    $result = $false
 
    try {
        $connectTask = $tcp.ConnectAsync($endpoint, 443)
        $timedOut = $connectTask.Wait(3000)
        $result = $tcp.Connected
    } 
    catch {
        $result = $false
    } 
    return $result
}
 
foreach ($service in $services) {
    $validationResult = Get-TcpConnectionAsync -ServicePrefix $service -Region $region
    Write-Host "Reachability to $service is $validationResult"
}

Der TcpTestSucceeded Wert muss True fürs3,,ec2,secretsmanager,logs, events monitoring ssmec2messages, und ssmmessages zurückgegeben werden.

Warnung JavaScript ist in Ihrem Browser nicht verfügbar oder deaktiviert.

Zur Nutzung der AWS-Dokumentation muss JavaScript aktiviert sein. Weitere Informationen finden auf den Hilfe-Seiten Ihres Browsers.

Dokumentkonventionen

Portregeln für die Netzwerkkonfiguration

Windows-Authentifizierung einrichten