Transcript for:
AWS Managed Microsoft AD Directory & EC2 Domain Join

foreign [Music] in today's video we'll create an AWS managed Microsoft ad directory and then seamlessly domain join a Windows ec2 instance to that directory let's take a quick look at the architecture the VPC in the AWS account has four subnets namely the Bastion subnet the management subnet the ad subnet 1 and 80 subnet2 the Bastion subnet which is a public subnet host Sebastian host instance which is solely to login to the ad management instance in the private subnet we have two private subnets in two different availability zones for high availability where we will launch the AWS managed Microsoft ad directory the AWS managed Microsoft ad is an AWS directory service that lets you run Microsoft ad as a managed service in the AWS Cloud when you select and launch this directory type it creates a highly available pair of domain controllers powered by Windows Server 2019 but connected by elastic network interfaces or Enis that are created in the VPC see of your choice since it is a managed AWS service the host monitoring and Recovery data replication snapshots and software updates are automatically configured and managed for you by AWS like any other AWS managed service you can access your AWS manage Microsoft directory using Administration tools from an ec2 instance that is joined to the ad in this case it is the ad management instance which is launched in the management subnet that you see on the screen I am currently logged into my AWS account in the Sydney region as my administrator user who is I've already created the VPC the public and the private subnets that's needed for the purpose of this demo and have also launched a Bastion host in the public subnet so let's take a quick look at this VPC and the subnets that I've created so let me switch over to the VPC console so the VPC that we'll be using for the purpose of this demo is the core VPC with this VPC ID and I've created the subnets the Bastion subnet which is a public Subnet in the availability Zone a and we've got the ad management subnet which is a private Subnet in the same availability Zone and you can see with the route tables that it has a route to the NAT Gateway as for the ad subnets ad subnet 1 and 2. you can see that they are created across two different availability zones AP South East 2A and 2B and these will be the subnets that we use for deploying the manage directory the ad subnet subnet 1 and subnet 2 only have the local routes for the VPC and they do not have any outbound internet access through the NAT Gateway as we do not require that for the directory communication so let's now proceed to create the directory to do so I'm going to switch over to the directory Services console and then click on setup directory we do have four options for directory Services here but for the purpose of this demo we will be creating the AWS manage Microsoft ad directory and then click on next you can see that the domain controllers will be running on Windows Server 2019. we have two additions that we can choose from and you can see the details to Define which Edition works for your choice a good decision point would be to see the number of directory objects that you would be creating in your directory to choose between the two editions so we are going to select the standard edition of the directory for this demo and I'll provide the directory DNS name or the fully qualified domain name for our directory for this example I'm going to name it as Corp dot local and provide a net bios name this is optional but it's preferred to give the first part of your domain name as your net bios name so I'm going to give the netbias name as core and then provide a description for this directory I'm just gonna put the same description as that as my net bias name but you can give any description of your shops so next we switch to the admin password notepad to perform operational management of your directory AWS does have exclusive control of the accounts with Enterprise administrator and domain administrator privileges this includes exclusive control of the ad administrator account during the directory creation AWS will create a directory administrator account with the username that is admin and we specify the password here during the creation of the directory note that this account does not have any domain administrator and price administrator privileges but it rather has a delegated set of permissions and I will link those permissions in the description below for you to note we can later see that this account is created in the user's oufr directory so let me go ahead and give a password for this directory admin account and once that I've confirmed the password let's go ahead and click next so here we're going to provide the VPC where the directory will be created you do require at least two subnets in two different availability zones that you need to provide here so I'm going to select the VPC that we created that is the core PPC and select the two ad subnets that we have created so I'm going to select 80 subnet 1. followed by ad sub 2. and here you can see the default initial ad site name that will be created in Haiti sites and services for this directory let's go ahead and click on next so with all the details provided I'm then going to go ahead and create this directory it could take about 15 to 20 minutes for the directory creation to happen and you can see that the status of the directory will be creating during that stay once the status has switched to available that's when you can actually access the directory and perform the directory Administration tasks against this director while the directory is being created the next action that I would want to show you is to actually seamlessly domain join an ec2 instance to this directory since this directory is a managed directory you do not have access to actually log into the domain controllers created by this directory rather you can join an ec2 instance to this directory and manage this directory using the ad Administration tools so before we do that let's set the prerequisites for creating the ad management instance I'm going to create the imro with the necessary permissions to seamlessly domain join the instance to the directory and we'll also create a security group for that instance so to do that I'm going to switch to the IM console and click on roles and then click on create a row I'm going to select ec2 as the use case and then click next AWS provides two manage policies that you can use when performing seamless domain join or PC2 instance I'll list the two manage policies here so the two policies are the SSM management since Co and the SSM directory service access policy so I'm just going to go ahead and select that with the two policies selected I'm going to go ahead and click on next so I'm going to call this policy ec2 domain join and then click on create the root now that the role is created let's go ahead and create the ec2 instance and we'll create the security group while creating the instance so I'm going to click on instances tab we do need to wait for the directory to be available before we can launch and seamlessly domain join this instance to the director I've given it about 20 minutes and now I can see that the directory is reporting as active we're now in a position to launch our ad management instance and seamlessly domain join it to this directory before we do that I do want to go through some of the details about the directory so this is the directory ID that's created for cop.local clicking on the directory ID I can see the networking details as well as some of the directory settings we then switch over to this tab and you can see that by default you have two domain controllers that are created for this directory with the corresponding IP addresses one in each of the subnets so let me switch over to the ec2 console so I can show you the two interfaces of the directory that's created so switching to the ec2 console and going to the network interfaces tab you can see that there are two interfaces that have the security group with the directory ID underscore controllers so these happen to be the two interfaces of the directory a good way to also identify that is to read the description of the interfaces and you can see that it's written as AWS created network interface for the directory with the directory ID clicking on the interface you can also see the private IP for each of these interfaces and this also happens to be the private IP that is reported in the directory Services console if you click on the security group that is attached to these interfaces you can see that by default AWS creates the security group with the security group rules that is needed for active directory communication note that the outbound rules are by default only allowing the directory Security Group for all traffic so if you do need to allow outbound traffic from the directory you will need to modify the security group to allow the traffic accordingly so now that we have seen the details of the directory let me switch over to the ec2 console to now create the ad management instance so clicking on the instance tab I'm going to go ahead and click on launch instance let's name the instances ad management I'm going to select windows and leave it with the default 2022 base image I'm going to leave the instance type and select the keypad that I already have created let me switch over to the core PPC which is where I will launch this instance but for the subnet I'm going to select the ad management subnet which does have outbound access to Nat Gateway so that can communicate with the AWS systems manager endpoints for seamless domain jump so I will be creating a new Security Group here so I'm going to call this the ad management SG for the RDP traffic we will be allowing inbound RDP traffic from the Bastion host instance so let me just duplicate this tab so I can get the IP of the Bastion host instance here selecting the instance I'm going to get the private IP of this instance and provide that as the source for RDP traffic once that's configured we need to expand the advanced details where we will be providing the IM role as well as the directory ID so that we can perform seamless to Major so to do so you can see that under the domain join directory click on the drop down and you can see that the AWS managed active directory that is cop.local is listed here with its directory ID so let's select that and then for the IM instance profile we will then select the ec2 domain join rule that we created previously so this role does have the necessary permissions to perform the domain join operations using AWS systems manager once we have selected the domain join directory and the IM instance profile let's go ahead and launch the instance let me switch back to the instances tab and wait for the instance date to report as running with the 2x2 checks passed Let me refresh the console I can see that the ad management instance is now running with the 2x2 status checks passed so let's take a look at what the seamless domain join process actually does so let's switch over to the systems manager console and then click on the state manager tab you can see that there is an association ID with the document name that's AWS config underscore domain with the domain ID and the domain name it reports the last execution time and you can see that the status is currently pending I'm going to give it a couple of minutes to see if the status reports a success while we wait for this Association to be running I'm going to click on the association ID and then we can take a look at the document that this Association actually runs against the instance you can see the content of the document and it uses the AWS domain join plugin that's provided and provides the three properties for that plugin which is a directory ID the directory name and the DNS IP addresses for the domain which is auto populated when you select the directory ID while launching the instance switching back to the association ID you can see the resources for the association ID so you can see that the resource ID and the association status is now reported as success so let's take a look at the output which says one out of one login since there's only one plugin that's AWS domain join and that's reported as success the execution history also lists the execution ID against that particular instance so let's head back to the association that's created and since that's reported as a success I'm now going to try to log into the instance using the Corp admin account to do so I'm going to switch over to the Bastion host and try to login to the ad management instance that we just created so let me grab the private IP of the ad management instance in order to connect using the directory admin account I do need to provide the username using the syntax net bios name backslash admin and then click on connect and I'm prompted for the directory admin password so this is the password that we provided when we created the directory I'm going to click on OK and you can see with just the RDP certificate you can see that the hostname of the remote computer does have a suffix cop.local which indicates that the machine is domain join so I'm going to then click on yes now that we are connected to the ad management instance I'm going to run a partial command so that we can install the directory Administration tools so let me open the partial IC console so we're now going to use this command which is install hyphen Windows feature we're going to install the two remote server Administration tools the ad tools as well as the DNS server tools and we're going to include all the sub feature and the management tools that's included as part of this Windows feature so let me go ahead and run that you can see that the ad tools and the DNS server tools are installed and node restart is required for installing these tools note that you can also run this command to install the tools while the instance is being launched as part of the user data script if you were to do that this would be the syntax of the command that you need to provide in the user data section while launching the instance so with the feature installed let's go ahead and try to connect to our directory using the active directory tools first I'm going to launch the active directory users and computers console to do so I'm going to type dsc.msc and you can see that it's connected to cop.local which is our directory you can see that AWS creates an organizational unit or OU to store all the AWS related groups and accounts the name of this OU will be the same as the net bios name that you provided when creating the directory in my case since the domain was cop.local and I provided the net bios name as cop you can see that the name of my OU is score note that this OU is owned by AWS and contains all of your AWS directory related objects and you do have full control over this OU under this OU you do have two child overuse by default by the name of computers and users this contains the computer accounts for all the instances joined to your directory in this case since we've joined the ad management instance to the directory we have the computer account of the ad management instance and under the users OU we have an admin account which is the default directory admin account that was provided when creating the directory that's present within this OU note that any other directory related objects for x example if you are creating a new user or an OU would need to be done within the chord for you and you do not have access outside of the scope or you to create any other users or other directory related objects so let me quickly show you that so if I were to go to the default users Tab and right click on this you can see that there is no new tab for you to create any users however if I were to go to the users under the Corp OU you can see that I'm now provided with a new tab where I can create new users groups or ous or any other directory related objects let's also open the DNS management snap in since we have installed the DNS server tools you can see that it prompts you for which computer you want to connect so I'm going to provide the domain name cop.local you can see that we now have the DNS Management console for our directory where you can see the records that have been created for the directory so in this case we have two records which is the records for the domain controllers of our directory and we also have a host a record for the ad management instance that we create lastly I do want to show you that besides performing the directory management tasks by using the snappings you can also reset the user password from the AWS directory consoles so let me quickly switch over to the directory console and if you click on the directory under actions you do have an option to say reset user password you do have permissions to change the password of the default admin account or any other users that you create as part of your directory so this covers how to create an AWS managed Microsoft ad directory and how to seamlessly domain join an ad management instance to the directory so you can administer the directory using directory Administration tools thanks for watching for more such content please don't forget to like share and subscribe to unmask it now until next time [Music]