1) Create an AWS Directory Service domain
There is good documentation on doing this. I chose the Microsoft Active Directory option.
A few notes on the creation of an AWS Directory Service:
- I created a new VPC with 2 subnets for the Directory Service usage
- I made sure each subnet has an Internet gateway associated so that it can be reachable from the outside
During the creation of the Directory Service, you'll be asked to specify an administrator-type user name and password. Make sure you remember what you specified there because you'll need this info in a subsequent step. Also make note of the DNS server IP addresses that were set during the Directory Service creation.
2) Create an IAM role to be associated with the EC2 Windows instance
- the IAM role needs to be associated with the AmazonEC2RoleforSSM and AmazonSSMFullAccess policies
- the IAM role also needs to have a trust relationship with ec2.amazonaws.com
3) Launch EC2 Windows instance associated with the AWS Directory Service domain
I chose the Windows_Server-2012-R2_RTM-English-64Bit-Base-2016.03.09 AMI. In Step 3 of the AWS launch instance wizard ("Configure instance details") I made sure I specified the following:
- Network: the VPC created in step 1) above
- Subnet: one of the 2 subnets created in step 1) above
- Domain join directory: the directory name for the Directory Service created in step 1) above
- IAM role: the IAM role created in step 2) above
4) Connect to EC2 Windows instance via RDP
First get the administrator password via the AWS console (you'll need to paste the contents of the private key corresponding to the EC2 key you used when launching the Windows instance). Then connect to the Windows instance as the local administrator user.
Verify that you see the fully qualified domain name of your Directory Service (whatever you indicated in step 1) as the domain of the Windows instance (in Server Manager -> Local Server). If you don't, something went wrong with joining the domain during the instance launch. You can see the system log of that instance in the AWS console by selecting the instance, then going to Actions->Instance Settings->Get System Log. For example, in one of my failed attempts to get all of this working I saw errors related to the IAM role I was using, which at the time didn't have the correct SSM policies attached.
If the Windows instance is correctly joined to the domain, you need to install the Active Directory management tools in order to actually manage the AWS Directory Service. Here is a Rackspace article I found with good instructions.
5) Log in to the EC2 Windows instance as the domain admin to manage AD
After the EC2 Windows instance was rebooted, I managed to log in via RDP as my.aws.directory.fqdn\myusername (where both of these values are the ones chosen in Step 1 above) with the password also chosen in Step 1. At this point I was able to use the Active Directory management tools to add new AD users etc.
Here are some other good resources I found:
- AWS documentation on joining an AWS Directory Service domain
- AWS blog post on using LDAP via AWS Directory Service
Post a Comment