Fix EC2 Windows logon issue by moving the AWS image to desktop and back

After installing a Windows Remote Desktop client access licenses, commonly known as CALs, on an AWS EC2-based Windows machine, I made a mistake of not specifying my RD license server in the terminal server settings. Once the demo licenses ran out, the CALs did not take, and I ended up with a valuable machine, used by 4 people daily, locked out and impossible to login into.

The machine was running Windows 2008R2, and the online recipes of “just do mstsc /v:server /admin” did not pan out, the logins were locked for good. Now AWS does not give you any access to the console, which would have allowed me all of 2 minutes to resolve the issue.

What I did was moving the instance to my desktop VirtualBox, making the change and moving the instance back. Here is how to do it:

  1. in EC2 console, stop the Windows machine and detach the volume
  2. create a small Linux instance, my preference is Ubuntu, as things are just easier there. I used a large drive here, to keep the image of the Windows partition, it’s a throwaway disk and instance anyway. (And there also seem to be and untested way to do it without temp storage altogether); then start it.
  3. install ntfsclone (sudo apt update; sudo apt install ntfsclone)
  4. create a small local VirtualBox Linux instance on your desktop, with one small (like, 5GB) drive for Linux, and another of exactly the same size as the Windows machine; start it. You will need a Linux iso, e.g. Ubuntu Server
  5. install ntfsclone (sudo apt update; sudo apt install ntfs-3g)
  6. Attach the windows volume to the EC2 Linux machine; on EC2 Linux machine:
  7. Find the drive by typing lsblk
  8. save the first 5MB to have an exact copy of all boot sectors and partitions:
    1. sudo dd if=/dev/xvdf of=head.bin bs=1M count=5
  9. give ubuntu user a password (run “passwd”) and enable password logins (“sudo vi /etc/ssh/sshd_config”, -> PasswordAuthentication yes – restart ssh: “sudo service ssh restart” )
  10. save the Windows partition to file:
    1. sudo ntfsclone –save-image -o – /dev/xvdf1 | gzip -c > part.img.gz
  11. to skip the need for password, copy AWS .pem file to VirtualBox instance to ~/.ssh, associate it in ~/.ssh/config file:
    Host echostname
    User ubuntu
    IdentityFile ~/keys/q.pem
  12. on the VirtualBox Linux instance:
    1. scp ubuntu@<ec2hostname>:head.bin .
    2. lsblk (to see the name of the windows disk device)
    3. sudo dd if=head.bin of=/dev/sdb bs=1M count=5 (this recreates partition structure)
    4. ssh ubuntu@<ec2hostname> ‘cat part.img.gz’ | gunzip -c | ntfsclone –restore-image –overwrite /dev/sdb1 –
  13. Stop VirtualBox Linux instance
  14. Create VirtualBox Windows instance, preferably use the same number of processors and RAM, use PIIX4 as a disk controller; attach the Windows drive we created in VirtualBox Linux instance; start it
  15. It should come up without the need of any repair. The OS will update for some time, then open the login window.
  16. Do the fixes and test them; then stop the VirtualBox Windows machine
  17. Start VirtualBox Linux machine on your desktop with the new Windows disk attached and send the updated image to EC2 (you might want to delete old image there first to save space):
    1. ntfsclone –save-image –output – /dev/dsk/sdb1 | gzip -c | ssh ubuntu@<ec2hostname> ‘cat > new.img.gz’
  18. To be safe, you can create a separate EC2 volume, and <dd head.bin> on it to recreate partitions, or just overwrite the original disk, on EC2 Linux machine, run:
    1. cat new.img.gz | gunzip -c | ntfsclone –restore-image –overwrite /dev/xvdf1 –
  19. Stop the EC2 Linux instance and reattach the volume as a root device to the EC2 Windows machine (I had to manually specify “/dev/sda1” as the device name while attaching to make it take as root); start the Windows machine
  20. you should be good at this point

What can be done differently? We could run ntfsclone directly, without using intermediate files. E.g.:

ssh ubuntu@<ec2machine> ‘sudo ntfsclone –save-image -o – /dev/xvdf1 | gzip -c’ | gunzip -c | ntfsclone –restore-image –overwrite /dev/sdb1 –

and the reverse when uploading the disk.

The download/upload operations are practically at your disk/network speed, gunzip cuts it about in half. Overall, better use of time and effort than rebuilding the domain controller with Office 365 installed, printers, work software and users.

Leave a Reply

Your email address will not be published.