To set up a free 30-day trial of TrueStack Direct Connect in AWS or Azure follow the Initial Configuration steps here. Then create a new AD domain or migrate or extend your current domain and connect your on premise computers.

Take a test drive

TrueStack recommends AWS over Azure

For TrueStack Direct Connect, Should I host my Windows Servers in AWS or Azure?

TrueStack recommends AWS over Azure.  Here’s why:

  • In general AWS is less expensive than Azure.
  • AWS burst-able instances starting in the T2 series are faster than the Azure burst-able VMs in the B series.
  • Customers using TrueStack Direct Connect can start with a T2 Micro Instance which will easily handle up to 100 connections.
  • Azure customers should start with a DS2v1 VM.  This is more expensive but it will also easily handle up to 100 connections.
  • In AWS, For Windows domain controllers and file servers customers can start with a T2 Micro instance.  However be aware of the CPU credits used.  If the credits reach 0 the server will be very slow.
  • Azure B series VMs are too slow for Windows domain controllers and file servers.  Customers should start with the a DS2v1 VM or greater.  See The Seamless Migration for details on recommended instance and VM size.
  • Azure gives a discount for customers who bring their own Volume Licenses.  AWS is Microsoft’s largest SPLA reseller.  They receive a discount on SPLA Windows datacenter licenses which allows their customers unlimited connections without CALs.   Because of this, for Windows servers, AWS is less expensive even if the Azure customer brings their own VLs.
  • AWS SSD hard drives (GP2) are less expensive than the equivalent Premium SSD drives in Azure.

TrueStack Direct Connect is a VPN management server made to connect Windows and Mac computers to AWS and Azure cloud Windows domain controllers and file servers.  Follow our tutorials to try it out and get a free 30-day trial.

truestack.com/support

For price comparison’s use these calculators:

Note: The AWS Calculator is much easier to use than the Azure calculator.  

Calculator usage tips:

  • for AWS uncheck the free tier checkbox in the upper-right-hand corner so you can know what your price will be after the free tier expires.  Azure’s calculator doesn’t have the ability to show the difference between their free trial and normal pricing.
  • AWS calculates one month as roughly 744 hours.  Azure sets one month to 730 hours by default.  We recommend changing it to 744 to get a more accurate monthly price in Azure.
  • For both AWS and Azure, different regions charge different prices.   For example, in AWS Oregon is generally less expensive than California.
  • Azure VMs include temporary storage.  AWS Instances do not include any storage.  In AWS we recommend using GP2 drives for the root and storage.  For Windows backup we recommend Cold HDD drives.  For Azure additional storage we recommend Premium SSD for data and Standard HDD for Windows backup.

Get 720 Windows server hours free from AWS and get a free 30-day trial from TrueStack

TrueStack Direct Connect is a VPN management server made to connect Windows and Mac computers to Windows domain controllers and files servers in the AWS and Azure clouds.  This tutorial will help you set up your own TrueStack Direct Connect instance in your Amazon Web Services account.

Set up your AWS Account

If you don’t have an Amazon Web Services account, create a free tier account.

Non-Profits may be eligible for $2000 in yearly AWS credits through Techsoup that can be applied to their account. Apply through Techsoup.org.

Launch TrueStack Direct Connect

  1. Once you have an AWS account, click on this link to open TrueStack Direct Connect on the marketplace and click Continue to Subscribe in the upper right-hand corner. TrueStack Direct Connect includes a free 30-day trial.If you haven’t already signed into your account, you’ll be prompted to sign in now.
  2. Accept the Terms.
  3. Click Continue to Configuration when it’s available. It may take a few minutes for this button to become available.
  4. Leave the Fulfillment Option and Software version as default.
  5. Choose your region. If you’re new to AWS we suggest choose a region that is closest to your location.
  6. Click Continue to Launch.
    1. Choose Action: leave as default – Launch from Website
    2. EC2 Instance Type: We recommend leaving this as default – t2.micro is sufficient for up to 150 connected devices.
    3. VPC Settings: leave as default – we recommend using the default VPC. If you don’t have a VPC in your account, click Create a VPC in EC2, then click refresh on this page and your default VPC should appear.
    4. Subnet Settings: leave as default.
    5. Security Group Settings: Click on Create New Based on Seller Settings.

      Ports 80, 443 and 1194 are required to be open for TrueStack Direct Connect to work properly. Port 80 redirects to 443 and automatically gives the console a secure certificate for web access. Port 443 is also used for updates. Port 1194 is used for the VPN connection.

      1. Name your Security Group, for example, TrueStack SG.
      2. Create a description, for example TrueStack Direct Connect Security Group.
      3. Click Save.
      4. Click refresh for the newly created Security Group to appear.
  7. Key Pair Settings: Create a key pair if you don’t already have one. After creating a key pair, click the refresh button on the Marketplace. The key pair you created should appear in the drop down. Important: Download and save the key pair in a secure location.
  8. Click Launch.

Access the TrueStack Direct Connect Console

  1. Click on the link on the next page to go to your EC2 Console. Or click here: https://aws.amazon.com. Under My Account, click on AWS Management Console, then under the All Services / Compute section click on EC2. This will bring you to the EC2 Dashboard then click on Running Instances in the middle.
  2. Your TrueStack Direct Connect instance should appear on the list of running instances. Click the edit button under Name and name it “TrueStack Direct Connect”.
  3. It should look similar to this:
  4. Find the public IP from the description tab of the EC2 instance. The TrueStack Direct Connect interface works best in Google Chrome.
    Description1

  5. Open Chrome and copy the public IP in to the the address bar. The IP should redirect to a TrueStack web address. The redirected URL will look similar to this: https://nk2g.truestack.com. This redirected URL is the address you can use in the future to access your interface.

    Troubleshoot: If the IP doesn’t redirect wait a few minutes. Your instance may still be starting up. After waiting, if it still doesn’t redirect to your TrueStack web address, reboot the EC2 instance from your AWS EC2 dashboard. A reboot will take about 3 minutes or less.

      1. To Reboot, high-light the Instance and click on the Actions button, then Instant State and Reboot from the drop down menus.
  6. On the TrueStack Direct Connect console acccept the EULA.
  7. In the AWS EC2 dashboard, find your EC2 Instance ID from the description tab. This is your temporary password. Copy it into the password field in the TrueStack Direct Connect console and login. We recommend that you change this password on the Settings tab after you log in.

Additional Required Steps:

  1. Add an elastic IP: Without an elastic IP, connected computers may have to clear their DNS cache every time the instance restarts and gets a new Public IP.
    1. Shutdown the instance before adding an elastic IP. To shutdown the instance, in the Ec2 Dashboard, choose the instance then click on Actions, Instance State, Stop.
    2. To add an elastic IP, in the EC2 dashboard, click on Elastic IPs under the Network and Security section. Allocate a new IP and then using Actions associate it with your TrueStack Direct Connect Instance. Start the Instance again from the dashboard. After the server has started access the instance from a Chrome browser by the new IP. The server may take 2 or 3 minutes to start. It should look like this.

    Troubleshooting: After changing to an elastic IP if your instance isn’t accessible through Chrome by the new elastic IP try these steps:

      1. Clear your DNS cache on the computer.
      2. Clear the cache in Chrome.
      3. Shutdown your TrueStack Direct Connect instance and start it again. The elastic IP associates with a Truestack.net DNS name on startup. By shutting down and re-loading your server you will re-initiate this process
  2. Disable Change Source/Dest: This is required so your Windows servers will be able to route to the local computers.
    1. In the Ec2 Dashboard, choose the TrueStack Direct Connect instance. Click on Actions, Networking, Change Source/Dest. Check. Click Yes, Disable.
    2. Leave Change Source/Dest. Check Enabled for your Windows servers and Disabled for your TrueStack Direct Connect server.
  3. Add an Additional Route to the VPC: This will allow the Windows domain controller to communicate with the connected computers. Without this route you will not be able to manage AD connected computers with powershell, the command line or group policies.
    1. On the EC2 Dashboard click on Default VPC on the right side.
    2. On the VPC dashboard, click on Your VPCs. We recommend using the default VPC. If you have multiple VPCs, choose the VPC that is associated with the subnet connected to your TrueStack Direct Connect instance.
    3. Click on the Route Table link associated with the VPC. You may have to scroll down to see the Route Table link. The link will open in a new tab.
    4. Choose the route table, click on the Routes tab and click Edit.
    5. Click Add another Route. Do not make any changes to the current routes.
    6. In the Destination type 5.5.0.0/20
    7. In the Target begin typing the Instance ID of your TrueStack Direct Connect Instance.  You can get instance ID from the description tab for your instance on the EC2 Dashboard.

      Troubleshooting: if your TrueStack Direct Connect Server Instance ID doesn’t automatically appear in a Target drop down list ensure you are on the route table associated with your default VPC. If you have multiple VPCs ensure your are on the route table associated with the VPC that your TrueStack Direct Connect Instance is associated with.
    8. Click save. You may have to scroll up to find save.
    9. It should look like this. If your route table shows Black Hole, it’s because the TrueStack Direct Connect server is turned off. Turn it on and it should change to Active.
  4. Add a rule for All Traffic. This is required in order for your Windows servers in AWS to communicate with your TrueStack Direct Connect server. Without this rule your on premise computers will not be able to route to your AWS Windows servers.
    1. On the EC2 Dashboard, Under Network and Security, click on Security Groups and choose the TrueStack Direct Connect Security Group.
    2. Click on the Inbound tab and click Edit.
    3. Click Add Rule.
    4. The Type should be All Traffic.
    5. Set Source to Custom.
    6. Type in the your security name, for example TrueStack Security Group and choose it from the drop down list.
    7. Click Save. It should look like this.

Recommendations:

  1. Use the ? help in the TrueStack Direct Connect Console.
  2. Change the default password after you logon.
  3. Periodically create backups from the Admin tab.
  4. Periodically run the updates from the Admin tab. Create a backup before you update the server..

What’s next?

  1. Practice navigating the Amazon EC2 dashboard, follow our Try it tutorial.
  2. To take a 48-hour test drive email support@truestack.com with subject “Test Drive”.
  3. If you’re considering migrating your on-premise Windows domain controller and file server to AWS read through the Seamless Migration to help you prepare for a successful migration.
  4. For configuration or migration questions contact TrueStack support at support@truestack.com.

Get a $200 credit from Azure and get a free 30-day trial from TrueStack

TrueStack Direct Connect is a VPN management server made to connect Windows and Mac computers to Windows domain controllers and files servers in the AWS and Azure clouds.  This tutorial will help you set up your own TrueStack Direct Connect instance in your Microsoft Azure account.

  1. If you don’t have an Azure account, create a free account. Non-Profits may be eligible for $5000 in yearly Azure credits through Techsoup. Apply here.
  2. Log in to the Azure portal. https://portal.azure.com.
  3. Click on Create a resource.  In the search field type TrueStack and click enter.
  4. Choose between TrueStack Direct Connect Unlimited, 10 or 25 device connections.
  5. Click on Create to deploy through the Resource Manager.
  6. Under the Basics tab, create a name for your virtual machine.  Remember this because this is also the initial logon password (see below).
  7. Leave the VM disk type as the default, SSD.
  8. Create a username and password or use an SSH public key.  This username/password will only be used if you need to ssh into the Virtual Machine to reset the default password for the console.
  9. Leave the subscription as Pay-As-You-Go.
  10. Create a new resource group and give it a name.
  11. Choose the location and click Ok.  Be aware that some locations do not allow static IPs.  We recommend using a static IP (see below).  As of this writing, these locations do not allow static IPs: North Central US, West US, Korea South, Korea Central, France Central, East US 2, East US, East Asia, Canada East.  We recommend choosing a different location.
  12. Here’s what it should look like:
  13. Choose a Virtual Machine size.  We recommend starting with DS1_V2 for 50 connected devices or less.  Scroll down or search for DS1_V2. You can increase your VM size if needed later.  Highlight the VM and click Select.
    Azure VM DS1_V2
  14. On the Settings page, leave everything set to defaults except:  Change Use managed disks from Yes to No and change Boot Diagnostics to disabled. Click Ok.
  15. Here’s what the settings page should look like.  Click on each image to expand.
  16. Enter a preferred email address and phone number.  This is required.
  17. Click Create.  It may take 3 – 4 minutes for your TrueStack Direct Connect virtual machine to deploy.

Create a Route Table:

A route table will allow you to access connected devices from a Windows or other server in your Azure account.  This is required for Windows group policies and DNS to work correctly.
  1. First you’ll need the local IP of your virtual machine. Click on Virtual Machines on the left panel.  Find and notate the private IP of your TrueStack Direct Connect Virtual Machine.  It may be something like this.  10.0.0.4.  Also notate the Public IP.  It might be similar to this 13.91.217.55.  You’ll need it later.
  2. From the dashboard click on Create a resource.
  3. Type route table in the Search field. Click enter.
  4. The result should look like this.  Click on Route Table and click Create.
  5. Give it a name and use the resource group that you created earlier.  Be sure that the location is the same location you chose earlier.  Change BGP route propagation to disabled. Click Create.
  6. Here’s what the Route Table should look like.  Click on the image to expand it.
  7. On the left panel, click on Resource Groups and open the resource group you created earlier. Click on the Route table that you created.
  8. Click on Routes on the left side.
  9. Click Add at the top, to add a route.
  10. Type in a route name.
  11. In the Address Prefix type 5.5.0.0/20.  This is the subnet that TrueStack Direct Connect will use for the VPN connections.
  12. In the Next hop type choose Virtual Appliance from the drop down.
  13. For the next hop address type the IP of the TrueStack Direct Connect virtual machine that you notated earlier.  Something like 10.0.0.4.  Click Ok.
  14. Here’s what the route should look like. Click on the image to expand it.
  15. On the left panel of the route table click on Subnets.
  16. Click Associate at the top.
  17. Click on 1 Virtual Network and choose the virtual network for the resource group you created.
  18. Click on 2 Subnet and choose the default subnet for that virtual network.
  19. Make sure both check marks are green and click Ok.
  20. Click on Overview on the upper left side to see how it appears.  Here’s how you’re route table should look:

Change from a dynamic to a Static IP

A static IP is a public IP that doesn’t change.  This is a good idea because without a static IP, whenever you restart your virtual machine you will receive a new public IP.  Although you’re connected devices use DNS to find the server, since the DNS IP will have changed after the restart the devices may take a long time to get the updated route. To avoid this, set a static IP.
Be aware that some locations don’t allow static IPs.  As of this writing those are:
  • North Central US
  • West US
  • Korea South
  • Korea Central
  • France Central
  • East US 2
  • East US
  • East Asia
  • Canada East
  1. From the left panel click on virtual machines.  Click on the TrueStack Direct Connect virtual machine.
  2. Click on the IP address under Public IP Address.
  3. Change the assignment from Dynamic to Static and click save.
  4. This may reboot your virtual machine.

Accessing the Console

  1. To access the console open a browser.  We recommend using Google Chrome.
  2. Type in the public (static) IP address in the address bar.  It will redirect to a TrueStack https address.  Something like jmwp.truestack318a.net.  Save this DNS address.  You can use it to access the console at anytime in the future.
  3. On the console logon page, accept the Eula and type in your TrueStack Direct Connect Virtual Machine name for the passwordThe password is the name you created at the beginning on the basics tab.  It isn’t the password you created.  That password will only be used to SSH into the server if needed.  If you do not know it, in the Azure Portal click on Virtual Machines on the left panel to find the TrueStack Direct Connect virtual machine name.
  4. We recommend changing this default password on the settings tab after you logon.

 

TrueStack Direct Connect is a VPN management server made to connect Windows and Mac computers to Windows domain controllers and files servers in the AWS and Azure clouds.  This tutorial will help you use TrueStack Direct Connect to connect an on premise Windows computer to an AWS Windows Domain Controller.

Summary:

The following steps will help you set up a Windows domain controller in Amazon Web Services and then connect a Windows Professional computer to the Windows domain using TrueStack Direct Connect.  After the computer is a member of Active Directory you can test access to the server by accessing a network share from the computer, pinging the computer from the server and remotely restarting the computer from the server.

For a quick test of TrueStack Direct Connect contact TrueStack and receive a 48-hour Test Drive.

Getting Started:

Important: For the purpose of this test we recommend setting up TrueStack Direct Connect and the below Windows server in a region that doesn’t include any production servers so you won’t disrupt any of your current AWS services.  We also recommend using the default VPC in that region.  Choose a region with a VPC that hasn’t been changed.  If you’re setting up a new AWS account then we recommend choosing a region that is closest to your location.

First follow the steps in the Step by Step Setup to configure TrueStack Direct Connect in AWS.  

Launch a new Windows Server from AWS:

  1. Use a Windows Professional computer and use Chrome for your web browser.
  2. In your AWS account, from the EC2 dashboard, click Launch Instance.
  3. Scroll down and choose Microsoft Windows Server 2016 Base or Microsoft Windows Server 2012 R2 Base.
  4. Select the default instance type, t2.micro.
  5. Select Review and Launch instead of Next: Configure Instance Details.
  6. On the right side click Edit Security Groups.
  7. Under Assign a Security Group choose Select an existing Security Group and then select the TrueStack Security Group then choose Review and Launch.
    Troubleshooting: If the TrueStack Security Group isn’t listed then you probably aren’t in the same region or VPC as your TrueStack Direct Connect Server.  Cancel the setup and check your region and VPC.  If you haven’t already, follow the Step by Step Setup.
    TrueStack Security Group
  8. Click continue to the warning about port 3389.  Port 3389 doesn’t need to be open because you will access your Windows server through the TrueStack Direct Connect VPN.
  9. Click Launch on the next page.
  10. You will see the below dialog box.  If you have an existing key pair choose that, if not create one by clicking on the drop down.  Give it a name and download it.  Important:  Save your key pair it in a secure location.
  11. Click Launch Instances then click View Instances in the next page.

Connect to the Windows server using TrueStack Direct Connect:

  1. Open your TrueStack Direct Connect console.  Find the private IP of the EC2 Windows server from the description tab of the EC2 instance.
  2. In the TrueStack Direct Connect Interface, create an installer.
  3. Give the installer a descriptive name. We recommend using the name of the Windows computer you are connecting from.
  4. Type the private IP address of the Windows server EC2 instance you just created in both the Windows Server IPs field and the DNS Server IPs field.
  5. Click Save installer.
  6. In the security code field for the installer you just created, click on the download button.
  7. Download and install the TrueStack Direct Connect VPN client on your Windows Professional computer. You’ll be prompted for the security code on install.
  8. After you’ve installed the client you should be able to use remote desktop to access the Windows server EC2 instance by its private IP. The user is Administrator. You’ll need to get the password for the Windows server from the Connect button of the instance in AWS. You can change the password of the administrator user in Computer Management after you log in.
  9. Promote the Windows server to a domain controller.
  10. Add your TrueStack Direct Connected Windows computer to the Windows domain you just created.

Additional Practice:

  1. Create a shared folder on the Windows domain controller EC2 instance and access the share from your Windows domain connected computer.
  2. From the Windows domain controller EC2 instance, restart your Windows domain connected computer using this command line: shutdown –r –t 5 –m //yourcomputername –f.

Use TrueStack Direct Connect to set up a Windows server in the AWS or Azure cloud

These are general directions for using TrueStack Direct Connect to connect your computers to a new Windows domain in AWS or Azure Windows server.

Try a free 30-day trial!

TrueStack cost $142 a month and allows you to connect up to 4096 computers and 253 servers.

The following assumes that you have already performed the Initial Configurations in either Azure or AWS.  If you haven’t set up TrueStack Direct Connect, follow the Initial Configuration Instructions below.

AWS Initial Configuration
Azure Initial Configuration

If you have an on premise server, this blog gives a summary of the process of migrating your on premise Windows domain controller and file server to AWS or Azure.

https://truestack.com/can-you-migrate-your-on-prem-domain-controller-to-the-cloud

Please read through our FAQ The Seamless Migration for tips related to bandwidth, scanners, printers, cloud backup and client/server line of business applications.

Set up a new Windows server in the cloud

Summary:
1. Set up TrueStack Direct Connect in the AWS or Azure Marketplaces. Follow the initial configuration steps here.  https://truestack.com/support.
2. Launch a Windows server in your AWS or Azure account and set up a Windows domain.
3. Create Installers for your Windows computers using TrueStack Direct Connect.
4. Download them and install them on each Windows computer.
5. Add the Windows computers to the Active Directory domain.
6. Create file shares and manage the computers with AD.

Step-by-step Instructions:

  • Launch TrueStack Direct Connect from the AWS Marketplace. Follow the directions for the initial configuration.  https://truestack.com/support
  • Then launch a new Windows Server 2012 R2 or 2016 Instance or VM in your account.
  • Connect to the Windows server and set up the domain. Be sure to install the DNS role on the Windows server.
  • Find the private IP of the Windows server in the instance description in your AWS account or Virtual Machine tab in Azure, for example, 10.0.0.157.
  • Create an installer in the TrueStack Direct Connect console for each computer that will connect to the Windows server. In the Windows IP field and in the DNS Server IP field add the private IP of the Windows Server. This will allow the Windows computer access to this cloud Windows server only and it will allow both the server and computers to communicate using DNS. A DNS server IP is also required for group policy and other server rules to communicate with the computers properly.
  • Each installer is made for only one computer and will only work on one computer. Each installer contains a unique certificate which is used to create an encrypted VPN tunnel between the computer and the Windows server. To protect the security of your AWS servers ensure that the installer is only installed on the appropriate computer. Also ensure it isn’t compromised or stolen during or after distribution.
  • Distribute the individual installers to each user. There are multiple ways to do this.
    • You can copy the installer link and email it or send it another way to the computer user along with the security code. The user will need to enter the security code before it times out, in order to download their installer.
    • Or you can download the installer yourself by clicking on the Download link by the security code. You can then send it to the user or put it an local share that the user has access to or copy it to their computer.
  • Install or have the user install the software on their computer.
  • After installation verify that that computers are connected in the console. If the computers are on and connected their names will appear in blue in the database.
  • Now you can add the connected computers to your cloud Windows domain.
  • We recommend opening file and print sharing on the windows firewall on the Windows server so the users can access the shared folders.  You can also use a group policy to open file and print sharing for the domain connected computers so you can ping them and access them via a UNC path if required.
  • After the computers are added to the domain you will them be able to manage them with Windows Active Directory as normal.  For example:
    • You can create file shares on the AWS server that these computers can access
    • You use the Windows command line or powershell to send commands to these computers
    • You can create group policies used to manage these computers
    • You can set up and manage users in Active Directory

Read the Seamless Migration for additional considerations related to IOPS, bandwidth, printers, scanners and performance.

Before starting, follow the Step by Step setup for Amazon Web Services.  Be sure to follow the Additional Required Steps.  If you are using Microsoft Azure follow the Initial configuration steps here.

 

Summary

This blog outlines how to migrate an on premise Active Directory domain controller to an a cloud Active Directory domain controller using TrueStack Direct Connect.

https://truestack.com/can-you-migrate-your-on-prem-domain-controller-to-the-cloud

Please read through our FAQ The Seamless Migration for tips related to bandwidth, scanners, printers, cloud backup and client/server line of business applications.

Migration Directions:

  • In the TrueStack Direct Connect interface, create an installer for your on premise Windows Domain Controller. In the Windows IP field, add the Private IP of the cloud Windows server.  In AWS find the private IP on the description tab of the instance.  In Azure, find the Private IP under Virtual Machines.  This will allow the Windows on premise server to have access to the cloud Windows server.  In the DNS IP field type in the IP of the on premise Windows Domain Controller.  This will direct the VPN to get DNS from the on premise Windows server.  It should look similar to this.
  • Download and install the installer you just created on the on premise Windows domain controller.  This will install on a physical or virtual server.
  • After installation verify that the on premise server VPN is connected in the TrueStack Direct Connect interface. If the computer is on and connected the name will appear in blue in the database.
  • Find the IP of the TAP adapter on the on premise server.  It will look similar to this 5.5.0.10.  The easiest way to find the IP of the TAP adapter on the on premise server is to right-click the network adapter in Control Panel, click on Status then Details.
  • Add the IP as the Preferred DNS server on the cloud Windows server.  This is added to the network adapter of the cloud server.  It should look similar to this.
  • Add the cloud Windows server to the on premise server’s domain.
  • Before promoting the server as a domain controller, open DNS on the on premise server.  Ensure the server is listening on all IP addresses and that Zone Transfers are allowed.
  • Also ensure that your local administrator password on the cloud Windows server is not the same as the Domain administrator password.  If it is, change the local administrator password on the cloud Windows server.
  • Promote the cloud Windows server to a domain controller.  Be sure to use domain credentials when you promote the server.  If you have problems promoting your server to a domain controller see Troubleshoot.
  • Now that the cloud server has been prompted as a Windows domain controller, in the TrueStack Direct Connect interface, click on the edit button to the right of the on premise Windows server and change the cloud Windows IP in the DNS Server IP field from the on premise server IP of the TAP adapter to the cloud Windows server IP.  On the on premise server, restart the TrueStack windows service to update the change.
  • This is a good time to Snapshot the Windows cloud server for additional backup.
  • Create an installer in the TrueStack Direct Connect console for each computer that will connect to the cloud Windows server. In the Windows IP field and in the DNS Server IP field add the private IP of the cloud Windows Server. This will be something like 10.0.0.5. This will allow the computers access to this cloud Windows server and it will allow both the server and computers to communicate using DNS. A DNS server IP is also required for group policy and other server rules to communicate with the computers properly.

  • Each installer is made for only one computer and will only work on one computer at a time. Each installer contains a unique certificate which is used to create an encrypted VPN tunnel between the computer and the Windows server. To protect the security of your cloud servers ensure that the installer is only installed on the appropriate computer.  Also ensure it isn’t compromised or stolen during or after distribution.
  • Distribute the individual installers to each user. There are multiple ways to do this.
  • You can email or copy the installer link and send it to the computer user along with the security code. The user will need to enter the security code before it times out, in order to download their installer.
  • Or you can download the installer yourself by clicking on the Download link by the security code. You can then send it to the user or put it in a local share that the user has access to or copy it to their computer.
  • Install or have the user install the software on their computer.  For MAC computers follow these directions to connect using Tunnelblick.
  • After installation verify that that computers are connected in the console. If the computers are on and connected their names will appear in blue in the database. At this point the computers should still be able to access the on premise server as normal.
  • Now migrate your data to the AWS Windows server. You can use robocopy or other migration tools.  Don’t share the migrated folders until you’re ready to demote and remove the on premise server from the domain.  See below.
  • The following change should be planned, probably after hours, because after this change your on premise computers may not be able to access the on premise server.  If DHCP for the network, via your router or on premise server, is giving out the DNS IP for the on premise Windows server to the local network adapters of the on premise computers, remove it and use different DNS addresses.  Either use DNS server IPs provided by your ISP or public DNS server IPs.  The computers get internet DNS lookups through the Local Area network adapter and they get Windows domain lookups through the TAP adapter.  The TAP adapter should be receiving the IP address of the cloud Windows server.  For your local network we don’t recommend using static IPs on the computers, however if this is your network protocol, change the Primary and/or Secondary DNS server IPs to your Gateway IP or your ISPs DNS server IPs or public DNS server IPs.  For laptops that need to be used offsite, we recommend public DNS server IPs like Google’s 8.8.8.8 or 8.8.4.4.
  • Transfer the FSMO roles to the cloud Windows Domain Controller.
  • Document your shared folder names and printer names if you intend to enable Branch Office printer – see our FAQ on The Seamless Migration.
  • Ensure Active Directory has fully replicated to the cloud server.
  • Demote the on premise server and fully remove it from the domain.  It’s important to delete the on premise server completely from the domain, otherwise the computers may continue to look to the on premise server for Active Directory, Group Policy and DNS lookups. We recommend renaming and restarting it after removing it from the domain so it won’t cause any confusion on the network.  Check for remnants of the server in AD and AD sites and services and DNS.  Delete the server in all of these places.
  • Uninstall TrueStack Direct Connect on the on premise server and delete it from the TrueStack Direct Connect interface.
  • Now, you can rename the cloud Windows server so it uses the same name that the on premise server used before it was demoted.  This will allow your on premise computers to use cached DNS lookups to access their shares.
  • For example, if your on premise server was originally name DCDATA and your cloud Windows DC is named AWSDATA, then after promoting AWSDATA as a domain controller and ensuring Active Directory replication succeeded, then demote DCDATA and remove it from the domain completely.  Rename it DCDATAOLD  Delete all remnants of DCDATA in Active Directory.  Then rename AWSDATA to DCDATA.   Set up your network shares and permissions the same way they were on DCDATA.  After you migrate the data and configure your shares and permissions your Active Directory users will be able to open their mapped drives and other network shares the same way they did before without noticing that the on premise server is now offline and they are accessing these shares on the cloud Windows server.
  • Restart the on premise computers.   This will update their adapters and route to them to the cloud Windows server.

Please read through our FAQ The Seamless Migration for tips related to bandwidth, scanners, printers, cloud backup and client/server line of business applications.

Troubleshoot

These are general directions for using TrueStack Direct Connect to extend a Windows domain to an AWS Windows server. Contact TrueStack Support for help with TrueStack Direct Connect.  Any modifications made to a Windows domain should be done by a qualified technician.
  • First set up TrueStack Direct Connect in AWS or Azure.   Follow the directions here.
  • Then launch a new Windows Server 2012 R2 or 2016 instance in your cloud account and add it to the TrueStack security group.
  • Find the private IP of the Windows server in the instance description in your AWS account. I.E 10.0.0.157.
  • In TrueStack Direct Connect, create an installer for your on premise Windows Domain Controller. In the Windows IP field only add the IP of the AWS Windows Server. This will allow the Windows on premise server to have access to the AWS Windows server.  In the DNS IP field type in the IP of the on premise Windows Domain Controller.  This will direct the VPN to get DNS from the on premise Windows server.
  • Download and install the installer you just created on the on premise server.  This will install on a physical or virtual server.
  • After installation verify that that the on premise server VPN is connected in the console. If the computer is on and connected the name will appear in blue in the database.
  • Find the IP of the TAP adapter on the on premise server.  It will look similar to this 5.5.0.10.
  • Add the IP as a Preferred DNS server on the AWS Windows server.
  • Add the AWS Windows server to the on premise server’s domain.
  • Before promoting the server, open DNS on the on premise server.  Ensure the server is listening on all IP addresses and that Zone Transfers are allowed.
  • Before promoting the server, ensure that your local administrator password on the AWS Windows server is not the same as the Domain administrator password.  If it is, change the local administrator password on the AWS Windows server.
  • Promote the AWS Windows server to a domain controller.  Be sure to use domain credentials when you promote the server.
  • On the on premise server the local computers need to lookup the local IP address of the server in order to find the server’s DNS name.  This is probably a class A,B or C IP address similar to this 192.168.1.25.  To ensure they don’t find the IP of the tap adapter, instead, which looks similar to this 5.5.0.10, turn off Zone Transfers on both servers.  If the computers associate the TAP adapters IP with the on premise server, the computers won’t be able to access resources on the server.  (Zone transfers aren’t required for AD replication however having it turned on during domain controller promotion is helpful).  Also un-register the TAP connection’s IP address in DNS.
  • Then clean up DNS.  In DNS on the on premise server the IP for the on premise server should be from the local adapter, for example 192.168.1.25.  On the AWS Windows server the IP for the on premise server should be the IP of the TAP adapter, for example 5.5.0.10.  If, in the future, you need to sync DNS on both servers, you can turn Zone Transfers back on.  Once the zones are in sync you can turn off Zone Transfers and clean up DNS again.
    • First Create an installer in TrueStack Direct Connect.
    • On the security code column, email the installation link to the user of the Apple computer or download the link on their computer.
    • On the download page choose Download Mac and download the config file to the Downloads folder.
    • Open a brower and go to tunnelblick.net
    • Download the latest stable release of Tunnelblick.
    • Open the .dmg file and double-click the icon titled Tunnelblick to install it.
    • When this dialog opens choose “I have configuration files”.

TunnelBlick01

    • Click Okay on the next message.

TunnelBlick02

    • Navigate to the downloads folders and look for the config file you downloaded earlier there. The config file will be named “client_installer name.
    • Drag the config file over the Tunnelblick icon in the menu bar at the top of the screen. This will install the config file in Tunnelblick and start the VPN connection.

TunnelBlick03

  • First create an installer then choose Download Mac.  This will download the config file.
  • If you have a version of Linux with a GUI operating system use FireFox to download the installer.
  • If you use SSH to access the console, then upload the config file you downloaded to a folder in your Linux computer using an FTP client like WinSCP.
  • The config file will be named similar to this client_INSTALLERNAME.ovpn
  • If you have a Linux GUI, right-click in the folder where the file is located and choose Open Terminal Here.
  • If you are accessing the console through SSH navigate to the folder where you uploaded the config file.  Use cd plus the folder name to navigate in Linux.  For example, cd my folder or cd /tmp/my folder
  • Then type:  sudo  apt-get install openvpn
  • When that command completes type: sudo openvpn –config  client_INSTALLERNAME.ovpn
  • replace INSTALLERNAME with the name of your installer.
  • This command will connect the client.  The installer connects and then appears in blue in the TrueStack Direct Connect console.

You can connect cloud servers, AWS EC2 Instances or Azure Virtual Machines, that are in different regions using TrueStack Direct Connect.

Connect Servers in different regions:

  • Set up TrueStack Direct Connect in one region.  Follow the Initial Configuration directions here: https://truestack.com/support.
  • Create an installer for the remote server in the other region.  In the Windows Server IPs section in the console type in the private IP of the server that you want to connect to that is in the same region as your TrueStack Direct Connect server.
    • For example:
            • Your TrueStack Direct Connect server and a Windows server is in the Oregon Region.
            • You want to connect a Windows server in the London region to the Windows server in the Oregon region.
            • The Windows server in the Oregon region has the Private IP of 10.0.1.52.
            • In the TrueStack Direct Connect Console, create an installer and type in the IP 10.0.1.52 in the Windows Server IPs section.Installer Setup
            • If you want to connect the London server to multiple Windows server in the Oregon region, type additional private IPs for the other servers in the Oregon region on separate lines.
              • For example:
              • 10.0.1.52
              • 10.0.1..233
              • 10.0.1.39
            • If you want the London server to have access to all servers in the Oregon region give the London server access to the entire subnet by typing: 10.0.1.52/24. This allows the London server to connect to all Oregon servers.
            • If you want to connect the Oregon server to to multiple London servers, create additional installers for each London server and specify the private IP of the Oregon server in the Windows Server IPs section for each installer you create for each London server.
            • If you want to allow all Oregon servers to connect to all London servers you need to create an installer for each London server and give each installer access to the entire Oregon subnet.
            • Specify the private IP of the Windows DNS server in the Oregon region if the London server(s) should be a part of the Windows domain on the Oregon server(s).
  • Install the TrueStack Direct Connect client from the installer(s) you just created on the London server(s).
  • By using the same configuration above you can also connect servers from different clouds, data centers and locations.

Client won’t connect

  • Ensure the computer is connected to the internet.
  • Restart the TrueStack service on the computer or restart the computer.
  • Delete and reinstall TrueStack Direct Connect on the computer.

Can’t ping or access the client computer from the Windows server

  • Ensure the computer is connected to the internet.
  • Restart the TrueStack service on the computer or restart the computer
  • Ensure the computer is a member of the Windows domain
  • Ensure File and Print sharing is open on the computer
  • Ensure that the route 5.5.0.0/20 is added in AWS or Azure.  For directions see the initial configuration https://truestack.com/support.
  • When adding a route in your VPC we recommend using the default VPC.
  • In AWS, disable Change Source/Dest. Check. Choose the TrueStack Direct Connect instance. Click on Actions, Networking, Change Source/Dest. Check. Click Yes, Disable. For better directions see the initial configuration https://truestack.com/support.
  • Some DNS servers provided by your ISP may block some DNS traffic going across port 1194.  In these cases the Windows server won’t be able to access the client.  Check the client’s TAP adapter icon in control panel to see if it shows “Unidentified network” under the adapter name, instead of your Windows domain name.
    It should show the Domain name.  Change the DNS address of the TAP adapter to Google’s 8.8.8.8 or 8.8.4.4.  If you’re ISP is causing this DNS issue then you will see that your domain name immediately appears on the client’s TAP adapter.  Once the domain name appears on the TAP adapter, you should be able to access the client.
    This should be a rare situation, however, in this case you have a few options:

    • Change DHCP on your on premise router to give out the IP of your gateway or a 3rd party DNS, such as Google’s DNS servers – 8.8.8.8 or 8.8.4.4 instead of your ISPs DNS servers.
    • Set static DNS servers IPs for the affected computers.  You may find that some laptops which are required to connect to multiple ISP networks will frequently have this issue, so it may be easier to set those laptops to Google’s DNS server IPs.

Reset your TrueStack Direct Connect Password:

  • Open SSH port 22 on your cloud network security group.
  • Use Putty or a terminal to SSH into TrueStack Direct Connect
  • Type “sudo /opt/directconnect/bin/resetpasswd”
  • Create a new password.  Then you should be able log in to the interface with the new password.

Upgrade to a new version of TrueStack Direct Connect

  • First create a backup then run the updates on the Admin tab.  This will update you to the latest version of TrueStack Direct Connect.
  • If you need to migrate to a new Instance (AWS) or VM (Azure) or you need to upgrade to a 25 or Unlimited edition of TrueStack Direct Connect, click on the Admin tab and download a backup of your server.
  • Create a new VM or Instance of TrueStack Direct Connect from the AWS or Azure marketplaces.
  • Follow the initial configuration instructions. https://truestack.com/support.
  • Shut down your current server so it doesn’t cause a DNS conflict on the internet after you complete the restore on the next step.
  • Move your elastic IP (AWS) or Static IP (Azure) over to the new server.
  • Turn on the new server and run the updates.
  • After updating, on the Admin tab of the new TrueStack Direct Connect server, click on Choose File and upload the backup file to your new server, click on Restore.

Can’t access web console after changing to a static or elastic IP

  • Clear your DNS cache on the computer.
  • Clear the cache in Chrome.
  • Shutdown your TrueStack Direct Connect instance and start it again.  The elastic IP associates with a Truestack.net DNS name on startup.  By shutting down and re-loading your server you will re-initiate this process.

My cloud Windows server won’t promote to a domain controller

  • Ensure your local administrator password and your domain administrator password are not the same.
  • Ensure that both the on premise and cloud servers can ping each other by IP.  The cloud server should be able to ping the tap adapter IP of the on premise server.
  • Server 2008 – If you are prompting a 2012 or 2016 domain controller in a 2008 forest and domain, we recommend restarting the on premise server after you’ve installed the TrueStack client and before promoting the cloud server as a domain controller.
  • Domain promotion may hang on some servers if there is a slow internet connection or packets are lost during promotion.  In these cases, you can cancel the promotion and try again.  After canceling the promotion, we recommend terminating the cloud server and starting with a brand new cloud server.  On the on premise server delete the cloud server out of Active Directory, AD sites and services and DNS before adding a new server and trying the promotion again.
  • Change your password – In the TrueStack Direct Connect console on the settings tab change the default password to a secure password.
  • Backup – On the admin tab periodically backup your server.
  • Update – On the admin tab periodically update the server.  Always backup up the server before running updates.
  • Keep your Windows servers up to date.

Because every network has different priorities every migration will be a little bit different.  With that in mind, this blog is written for the purpose of helping your organization plan your on premise Windows domain controller and file server migration to the cloud using TrueStack Direct Connect, with little or no disruption to your end-users.

TrueStack Direct Connect is a VPN management server made to connect Windows and Mac computers to Windows domain controllers and files servers in the AWS and Azure clouds.  Try a free 30-day trial at the Amazon Web Services or Microsoft Azure marketplaces.

A detailed explanation of the Windows DC and file server migrations steps are posted here.

Please read this document before you start to help you better prepare your network and plan your migration.

Overall Performance:  

Slowness is generally related to computer performance, cloud server performance or bandwidth.  Before you migrate, plan carefully, especially in these 3 areas.

Slowness is generally not related to managing Active Directory computers with a cloud Windows domain controller, unless your domain controller is using WSUS, SQL or other client server software or scripts that use up resources on the cloud server and on the client.

Organizations whose end-users access files on cloud Windows server network shares may experience slowness also due lack of resources in one of these three areas.  See about cloud file access below.

About cloud file access:

  • For organizations who use TrueStack Direct Connect to connect their end users to cloud Windows file servers, browsing files will be noticeable slower on Windows 7 computers vs. Windows 10 computers.
  • If you are using Office 2010 or an earlier version of office to access files on a cloud Windows file server you will notice lag times in file access.  We recommend Office 2013 or later.
  • Access to files on a cloud Windows file server will be much faster if your on premise computers use Windows 10 with SSD drives.
  • PDF files on the cloud Windows server will open faster with newer versions of Adobe Reader or Adobe Acrobat.  Large graphic or design files will open slower if the files are on the cloud Windows server. See pictures, PDFs and Videos below.

Computer Performance:

System Requirements: Windows 7, 8, 8.1,10, 32 bit or 64 bit.  Administrator rights are required for TrueStack Direct Connect client installation.

For the best performance we recommend: Windows 10 Pro, i5 (or equivalent), 8GBs memory, SSD, Microsoft Office 2016

Cloud Server Performance:

Below are general recommendations for server performance.

Free Space: Windows servers may run slower when there is less than 20% free space on the root hard drive.  You can increase the size of the root hard drive in AWS or Azure.  We recommend shutting down your server and making a snapshot of the drive before you increase the size.

Updates and Restarts: Updating and restarting your Windows server regularly will also increase server performance.  We recommend putting your server on a schedule to restart at least once a week after hours.

Server Usage: When choosing the size of your servers consider it’s use.  For example, SQL servers need more VCPUs, IOPS and memory.  Servers that are used for heavy file access of pictures, large PDFs and large videos will also require more VCPUs, memory, IOPS and bandwidth (see Pictures, PDFs and Videos below).

Separate Hard Drives: We recommend that Windows storage drives used for file access in the cloud, are SSD and are separate drives from the root.  This will make it much easier to upgrade your OS in the future (see upgrades below).  It will also make it easier to backup and restore (see backups below) and easier to increase the size of the drive if needed without affecting the OS.

IOPS (Input/Output Operations per second): Monitor your server’s performance and IOPS usage to determine your organization needs.  In cloud servers, IOPS is often the determining factor as to the speed of your server and cloud network throughput.

TrueStack IOPS: In general TrueStack Direct Connect servers use very few IOPs.  You will find that the IOPS credits are very stable and it rarely has to be restarted or upgraded to a faster server.

We do not recommend restarting the TrueStack Direct Connect server on a schedule.  A restart will disconnect all of your computers.  After a restart, some computers may not reconnect correctly.  If a computer has a connection issue, restart the TrueStack service on the computer or restart the computer instead of restarting the TrueStack Direct Connect server.

AWS IOPS:

In AWS, IOPS are determined by the server version and the size of the hard drive.  The larger the hard drive or server the more IOPS credits you accumulate.  T2 instances are burstable.  This means that they may run out of credits.  When you run out your Windows server will run very slow.  If you find that your Windows server slows down in the middle of the day, consider increasing the size of the root hard drive.  For Windows, we recommend starting with a 60GB SSD then increase it up to 200GBs or larger.  You can also increase your VCPUs and memory by upgrading to a faster server.  If you start with a T2 Micro instance and you’re seeing slowness, upgrade to a T2 Small or T2 medium and increase the size of your root drive.

You can monitor your IOPS credits on the monitor tab of your instance.  If it shows close to 0 credits the server will be very slow.  In general you’re credits should be around 150 – 300 or more.   Regular restarts of your Windows server improves IOPs performance and credits.  We recommend scheduling your Windows server to restart at least once a week.  We do not recommend scheduling a restart of your TrueStack Direct Connect server.  Servers running SQL will require more VCPUs and IOPS.  If you are running WSUS, monitor your credits throughout the day and upgrade as needed.

You can upgrade the size of the hard drive or upgrade to a faster server without loosing data.  As a precaution, we recommend that you shut the server down then snapshot the drives before you upgrade.

Use the AWS Calculator to determine the IOPS per hard drive size.  1TB = 3000 IOPs for an SSD drive.  Be aware that different regions charge different rates.  Because of this, for example, it may make more economic sense with little performance difference to put your servers in US West Oregon, instead of US West California.

Azure IOPS:

Azure also uses IOPS and has burstable Virtual Machines, but the VMs package in the root hard drives which includes caching (similar to a page file) so it’s not always so easy to determine the size of the root drive before launching a VM.

We don’t recommend using burstable Virtual Machines in Azure for Windows servers or TrueStack Direct Connect.  In general the equivalent Azure B series VMs run much slower than the AWS T2 series.  We recommend starting with the D2 series VMs which aren’t burstable.  With this in mind you’ll notice that AWS has much better pricing than Azure, however you may be able to reduce your hosting expense by bringing your own Windows licenses and paying for reserved instances. Nonprofits can also benefit from Azure if they are eligible for $5000 in Azure credits through Techsoup.  See Cloud pricing below.

Azure sets the size of the hard drive plus temporary storage used for caching when you choose a VM size.  In general we recommending using their default sizes then increase to a faster VM as needed.

See the Azure Pricing Calculator.

AWS Server Size Recommendations:

Recommended: 1- 10 connected devices
TrueStack Direct Connect server: T2 Nano, 8GB SSD
Windows Server: T2 Micro 60GB SSD

10 – 20 connected devices:
TrueStack Direct Connect server: T2 Micro, 8GB SSD
Windows Server: T2 Small 100GB SSD

25 – 50 connected devices:
TrueStack Direct Connect server: T2 Micro, 8GB SSD
Windows Server: T2 Medium 200GB SSD

50 – 100 connected devices:
TrueStack Direct Connect server: T2 Micro, 30GB SSD
Windows Server: T2 Large 200GB SSD

Azure Server Size Recommendations: 

Recommended: 1 – 10 connected devices
TrueStack Direct Connect server: Standard Tier, DS2v1 3.5GB RAM, 50GB Temporary Storage
Windows Server: Standard Tier, DS2v2, 2 cores, 7GB RAM, 100GB Temporary Storage

10 – 25 connected devices:
TrueStack Direct Connect server: Standard Tier, DS2v1 3.5GB RAM, 50GB Temporary Storage
Windows Server: DS3v2, 4 Cores 14GB RAM, 200GB Temporary Storage

25 – 75 connected devices:
TrueStack Direct Connect server: Standard Tier, DS2v1 3.5GB RAM, 50GB Temporary Storage
Windows Server: DS12v2, 4 Cores, 28GB RAM, 200GB Temporary Storage

75 – 100 connected devices:
TrueStack Direct Connect server: DS2v2, 2 cores, 7GB RAM, 100GB Temporary Storage
Windows Server: DS13v2, 8 Cores, 56GB RAM, 400GB Temporary Storage

Bandwidth:

The amount of bandwidth your organization needs depends on what type of load you are putting on your server.  Here are our general recommendations based on 1 Windows DC and file server with 1 TB of Storage, using a cable connection.  In this scenario users generally access Microsoft Office and PDF files on cloud Windows shared folders For some organizations a dedicated synchronous connection may be preferred.

1 – 10 connected devices: 50 mpbs/down – 10 mbps/up 
10 – 50 connected devices: 100 mbps/down – 20 mpbs/up
50 – 100 connected devices: 200 mbps/down – 50 mpbs/up

Client/Server line of business applications

In general, client server applications like Quickbooks database manager or Sage Accounting or custom multi-user Microsoft Access databases, will not run at speed across the TrueStack Direct Connect VPN.  Here are some alternatives:

  • Move to a web-based application.
  • Use Microsoft remoteapp in the cloud to stream the application to the user.  We’ve written a blog explaining how to do this in AWS.  How to Set up Windows Remoteapp in AWS.
  • Set up a Remote Desktop Gateway server and RDP server.
  • Use Parralels in the cloud or another remote streaming app to stream the application to the end-user.
  • Put the application on a local member server or computer.  We don’t recommend this solution unless there is no other alternative.  Here’s why:
    • You will need to maintain an onsite/offsite backup solution for the onsite member server.
    • The client Windows computers onsite will need to be able to find the onsite member server by DNS or IP.  By default the TAP adapter will register an IP for the member server in the 5.5.0.0/20 network.  The onsite clients will not be able to communicate with the member server with this IP.  They will only be able to communicate with the local IP, for example 192.168.1.2.  So you will have to update the DNS address that the clients get.  The easiest way to do this is to un-check the “Register this connection’s address in DNS” checkbox on the DNS tab of Advanced TCP/IP Settings for the TAP network adapter.

      After that ensure that the local IP address of the member server appears correctly in Windows DNS on the cloud Windows DC. Another way to update DNS is to set the IP for the member server in the local host file of the client computers.  One problem with this method is that if you Un-register DNS for the member computer then the Windows DC won’t be able to send Group Policy information and other commands to the member server because the Windows DC can’t communicate with the local IP.  To update the member servers policies you will have to temporarily register it’s TAP adapter in DNS.  This is why host files might work better.

DNS and DHCP

After migration ensure that Windows DNS and DHCP is set up correctly.  If DNS isn’t working correctly your connected devices will take longer to find the correct UNC paths for shared folders and may not receive their group policies.  If DHCP isn’t working correctly your computers may still be searching for the on premise Windows server instead of the cloud Windows server.

  • On premise DHCP should be giving out DNS IPs of your gateway or your ISP or 3rd party DNS servers.  If they are giving out the DNS IP of your old on premise Windows server you will need to change it so you’re computers will find the cloud server instead of looking to the old on premise server for DNS.
  • If you had previously used your on premise DHCP server to give out IPs change DHCP to your router.
  • Ensure your TrueStack Direct Connect VM or instance has a cloud static IP.
  • Private IPs are inherently static.  But they aren’t set at the cloud network adapter, they’re set by AWS or Azure.  Public IPs that aren’t set static will change after a restart, unlike prviate IPs. In fact, do not set a static IP on the cloud network adapter of the VM or Instance, you may loose complete access to the server!
  • In AWS be sure to add a route for 5.5.0.0/20 and in Azure be sure to add route table for 5.5.0.0/20.  Both of these are required in order for the Windows DC to be able to access the client computers.  Follow the Additional Required Steps in the step by step configuration to add these routes.  https://truestack.com/support
  • In AWS, be sure to Disable Change Source/Dest. Check for the TrueStack Direct Connect server.  Follow the directions in initial configuration for AWS to make this change.  https://truestack.com/support
  • On the cloud Windows DC, ensure that the DNS address for the network adapter is set to 127.0.0.1 or the Private IP of the Windows server, for example 10.0.0.5.
  • In the TrueStack Direct Connect interface ensure connected computers show the private IP of the Windows DNS server in the DNS server IPs section.
  • In the Windows firewall for the client and the server open file and print sharing for the domain only, so you can access the clients by UNC path and ping them by DNS name to see if DNS is working correctly.
  • Some DNS servers provided by your ISP may block some DNS traffic going across port 1194.  In these cases the Windows server won’t be able to access the client.  You will know that this isn’t working because you won’t be able to ping the client by DNS name from the cloud Windows server and the client’s TAP adapter icon in control panel will show “Unidentified network” under the adapter name, instead of your Windows domain name. 
    You can test this by changing DNS on the network adapter of one local client to an external DNS server, for example use Google’s 8.8.8.8 or 8.8.4.4.  If you’re ISP is causing this DNS issue then you will see that your domain name immediately appears on the client’s TAP adapter.

    This should be a rare situation, however, in this case you have a few options:

    • Change DHCP on your on premise router to give out the IP of your gateway or a 3rd party DNS, such as Google’s DNS servers – 8.8.8.8 or 8.8.4.4
    • Set static DNS servers IPs for the affected computers.  You may find that some laptops which are required to connect to multiple ISP networks will frequently have this issue, so it may be easier to set those laptops to Google’s DNS server IPs.
  • Note: the client’s local area adapter or wifi adapter should not show your domain name.  It should either show “Network #” or the Wifi name.  If it is showing you’re domain name, it’s probably because you’re router is giving out the old on premise server’s IP for DNS or DNS is set static on the adapter with your old server’s DNS IP.  This should be removed.

Minimize Disruption – Rename your Cloud Server:

The best way to minimize disruption to your end-users during migration is by removing the on premise server and renaming the cloud server to the same name the on premise server had.  If you install the TrueStack Direct Connect client on their computers and restart the computers after you’ve removed the on premise server and renamed the cloud server to the same name the on premise server had, then your end-users will log on as normal and be able to access their network shares as normal after migration.  If the Overall Performance is well tested (see section Overall Performance) then you’re end-users shouldn’t even notice that the server is out of the closet.

During migration, If you do not completely remove your on premise server from the cloud Windows domain, even if DNS and DHCP are set correctly, your on premise computers may still look for the old on premise Windows server for authentication and DNS.  After you have migrated all of the FSMO roles, data and applications, then demote your on premise Windows DC and then remove it from the Windows domain, rename it and delete all entries for the server in AD Sites and Services and in DNS.  Restart the server.  Then after installing TrueStack Direct Connect on the client computers and restarting the computers, they will find the new Windows cloud server for authentication and DNS.

We recommend that you snap shot the server before you rename it.

Printers

  • Use Branch Office Printing for capable printers.  Here’s a explanation of Branch Office printing from Microsoft.  If you rename the server to the same name your old on premise server had and ensure your shared printers have the same name they had before, then your end-users will be able to continue to print as normal after migration.
  • Some printers, especially those that require print codes, may not work well with Branch Office printing.  For those printers see this link to use a GPO to install the printers locally.
  • Branch Office Printing does not work on Windows 7 computers.  Printers on Windows 7 computers will have to be installed TCP/IP locally or installed through a GPO.
  • Some printers that are capable of using DNS and Branch Office printing may connect very slowly.  The end-user may feel like their entire computer is running slow because these printers are associated with the main applications they frequently use, like Microsoft Office.  In these cases we recommend testing with different print drivers.  Be aware that different print drivers will act differently on different Operating Systems.  If there aren’t any print drivers that connect at normal speed on all computers with Branch Office printing, we recommend installing these printers TCP/IP locally instead of using Branch Office printing or use a GPO.
  • Some networks require USB connected printers to be shared.  In these instances, because the computers cannot communicate with each other through the TrueStack Direct Connect VPN, we recommend setting the computer with the connected USB printer to a static IP.  Other users can then access the local shared printer by UNC path – for example \\192.168.0.25\printer

Scanners

  • If you have been using scan to file, we recommend switching to scan to email.  If you have O365 or Gsuite you can may be able to use these accounts for SSL/TLS relay through their SMPT servers.  You can also use a 3rd party SMTP relay server or set up a SMTP rely in the cloud.
  • If you need to use scan to file you will be required to either have an on premise file computer or member server that you’re client computers can use to access a shared folder for scans or you will need to set the computers with a static IP so the scanner can find the computers by IP across the network.
  • You can also use a USB scanner connected to one computer.

Ports:

TrueStack Direct Connect uses ports TCP 80, 443 and UDP 1194.  These ports should be left open in cloud AWS or Azure firewalls.

  • Port UDP 1194 is used for client/server VPN traffic.
  • Port 80 redirects to port 443.
  • Port 443 is used for the TrueStack Direct Connect interface and updates.  It’s also used for authentication of the client installer and to certify that the TrueStack Direct Connect is a valid AWS or Azure server.
  • In AWS add an ALL Traffic entry in the Security Group.  The Type is All Traffic and the Source is your subnet.  Type the name of your security group for the subnet.  See additional required steps in the step by step configuration.  truestack.com/support
  • You do not need to open a ports on the Windows firewall of the on premise computer.  See Windows firewall section below.

Backups:

Here are some of our recommendations for backing up the cloud server.

  • If you have shared files that need to be backed up nightlly, add an additional hard drive to the cloud server and use Windows backup to backup to that drive.  In AWS you can use a less expensive Cold HDD (sc1) and in Azure you can use a less expensive HDD.
  • Periodically snapshot the server.
  • In Azure you can use Azure backup.
  • For a backup DC, add an additional Windows DC in a different region and use TrueStack Direct Connect to connect the DCs.
  • If you have available Microsoft volume licenses or if you can use SPLA licenses set up a Microsoft DPM server for backup.
  • Use a 3rd party solution such as Cloudberry to S3.
  • Consider using Volume Shadow Copy.  This will require more storage and more system resources.

Windows Firewall

TrueStack Direct Connect does not require any ports to be open for the cloud server on the Windows firewall or on the client Windows firewalls.

We do recommend opening File and Print sharing on the cloud Windows server so the computers can access network shares on the server.  You can also open file and print sharing for the domain for the on premise Windows computers so the Windows DC can access the computers by UNC path.

Future Operating System Upgrades

  • Keep your root drives and shared storage drives separate.  That way, if for any reason you need to move a hard drive to another server you can easily move it by disconnecting it from the base server and reconnecting it to another server.
  • Both AWS and Azure make it easy to expand any hard drive, including root drives.  Snapshot the drives before expanding them.
  • You can easily migrate to the a new Windows server operating system by installing the OS on a new VM, then adding it to the domain, promoting it as a DC and migrating the FSMO roles.  After that move the hard drive to the new DC and set the share and NTFS permissions.
  • You can then demote the old Windows server, remove it completely from the domain and rename it, then name the new Windows server the same name that the old server change the private IP to be the same IP the old server had.  By doing this last step the new server will emulate the old one and the on premise computers will direct to the new server.
  • If the cloud storage drives were a separate drive you can move them over to the new server.
  • Snap shot all drives before doing migration.

Pictures, PDFs and Videos

  • We recommend using Adobe Acrobat Reader DC or newer on Windows 10 computers for PDF viewing.  Reader DC caches pages better than previous versions.  This means that if your bandwidth is adequate (see section Bandwidth) a large PDF over 100 mbs in size will download quickly and open the first few pages quickly.  While the user is viewing the first few pages, the rest of the pages will download to the computer.  Windows 10 is better at this PDF caching than Windows 7.
  • Pictures that are 1 – 2mb will open at normal speed.   These generally have .gif, .jpeg and .PNG extensions.  Programs that are used to edit pictures, like Photoshop, Illustrator or InDesign use much larger files.  These files may open slow across the VPN.
  • We recommend that graphic design stations open their design files locally on their computers especially if they are editing large pictures and video.  They can periodically upload the copies or final editions to the Windows server.
  • Some designers may require saving a shared folder on a computer or member server that is regularly backed up to the cloud.
  • Other options include setting up a dedicated cloud hard drive for the design files or using faster servers with better throughput and more IOPS on the hard drives used for design files.  You could also consider setting up a remote desktop server dedicated for a design user.  However, we’ve found that none of these options work as well as opening the files locally on the design computer and periodically uploading them to the server or using a local network share that’s backed up to the cloud.

Cloud Pricing

AWS

  • When using the AWS Calculator notice that different regions charge different rates.
  • Un-check the Free Tier Usage checkbox in the upper right-hand corner to find out what your expenses will be once your Free Tier expires.
  • There is no cost for Static IPs (Elastic IP) as long as they are in use.  You will be charged for use of the Static IP when the server is turned off.   You do not need a Static IP for your Windows server since it is only accessed by the private IP.
  • If you decide to use a Reserved Instance you will have to pay for 1 year up front.  You can upgrade at any time, but you will have pay the difference.
  • AWS assumes there are 730 hours in a month.

Azure

  • The Azure Calculator is difficult to use and confusing.  You can also get pricing by choosing a VM in your account and viewing the price before you purchase. If you create a VM in your account to check the price Azure may require you to create a Resource Group.  We recommend deleting this to make sure you aren’t charged for anything, after you check the price.
  • Not all VMs are available in every region and different regions charge different rates.
  • The Azure calculator shows prices based on 730 hours in a month, but your account pricing is based on 744 hours a month.