AWS Managed Microsoft AD Directory & EC2 Domain Join

Jun 22, 2024

AWS Managed Microsoft AD Directory & EC2 Domain Join

Introduction

  • Today's tutorial demonstrates creating an AWS managed Microsoft Active Directory ( AD) and seamlessly domain joining a Windows EC2 instance.

Architecture Overview

  • VPC in AWS Account: 4 Subnets
    • Bastion Subnet (Public)
    • Management Subnet (Private)
    • AD Subnet 1 (Private)
    • AD Subnet 2 (Private)
  • Purpose of Subnets:
    • Bastion Subnet: Hosts Bastion Host instance for logging into the AD Management instance.
    • Management Subnet: Launches AD Management instance for directory services.
    • AD Subnets: Used for deploying the managed directory across different availability zones for high availability.

AWS Managed Microsoft AD Directory

  • Definition: AWS Directory Service that lets you run Microsoft AD as a managed service in the AWS Cloud.
  • Key Features:
    • Creates highly available domain controllers auto-managed by AWS
    • Host monitoring, data replication, snapshots, and software updates by AWS
    • Administrative control through an EC2 instance joined to the AD (e.g., AD Management instance).

Configuration Steps

  1. Setting up VPC and Subnets:

    • Core VPC with subnets: Bastion (public), AD management, AD Subnet 1, AD Subnet 2 (private).
    • Routings: AD Management subnet routes to NAT Gateway; AD subnets have local routes only.
  2. Creating the Directory:

    • Switch to Directory Services console, setup AWS Managed Microsoft AD Directory.
    • Choose Standard Edition for this demo.
    • Provide Directory DNS name (e.g., Corp.local), NetBIOS name, and admin password.
    • Directory being created in AD Subnet 1 & AD Subnet 2.
  3. Creating IAM Role and Security Group for EC2 instance:

    • Role: EC2 Domain Join role with policies (SSM management, SSM Directory Service Access).
    • Security Group: RDP traffic only from Bastion Host.
  4. Launching AD Management Instance:

    • EC2 instance details: name (AD Management), Windows 2022 Base, key pair.
    • Subnet: AD Management subnet, Security Group: AD Management SG.
    • Set advanced details: IM role, select domain join directory.
    • Wait for instance status to be running and reports 2/2 checks passed.
  5. Configuring Systems Manager for Seamless Domain Join:

    • Check State Manager for association with document AWS.config_domain.
    • Ensure document executes successfully.

AD Management Post Configuration

  • Connecting to AD Management Instance: Login using Corp admin account from Bastion Host.
  • Installing AD Admin Tools and DNS Server Tools:
    • Command: Install-WindowsFeature -Name RSAT-AD-Tools, RSAT-DNS-Server -IncludeAllSubFeature –IncludeManagementTools

Using AD Administration Tools

  • Active Directory Users and Computers:

    • Organizes using Microsoft's Organizational Units (OUs) and User settings.
  • DNS Management Console: Connect using Directory DNS (corp.local).

Additional Admin Functions

  • Reset User Passwords: Available from the AWS Directory console.

Conclusion

  • How to create and use AWS Managed Microsoft AD Directory.
  • Seamlessly domain join an EC2 instance for AD administration.
  • For more such content, subscribe to Unmask IT.