How To Setup AWS Managed Microsoft Active Directory
In this blog post , We are going to learn the following things.
- Install and configure Microsoft AD services in AWS
- Join windows EC2 instance to the Domain
- Manage Active directory services from Windows Instance
What Is Active Directory?
In general , Active Directory is a Microsoft technology which is used to manage computers and other devices on a network.Active Directory allows network administrators to create and manage domains, users, and objects within the network.
AWS Directory Service provides multiple ways to use Amazon Cloud Directory and Microsoft Active Directory with other AWS services.
Basically , Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources.
AWS Directory Service provides multiple directory choices for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)–aware applications in the cloud.
Types Of Directory Services In AWS
Below are the lists of directory services types offered by amazon web services.
A Simple AD directory is a managed directory powered by a Samba 4 Active Directory compatible server. It provides a subset of the functionality offered by Microsoft AD, and supports commonly used features such as user accounts, group memberships, Amazon EC2 instances joined to domains that run Linux and Windows, and Kerberos-based single sign-on (SSO) and Group Policies.
This makes it easier to manage EC2 instances running Linux and Windows, and deploy applications in the AWS Cloud. You can use many of the applications and tools you use today that require Microsoft Active Directory support with Simple AD.
User accounts in Simple AD also can be used to access AWS Enterprise IT applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail, and to manage AWS resources via the AWS Management Console. Each day, Simple AD also provides automated snapshots by default to enable point-in-time recovery.
AWS Managed Microsoft AD
AWS Managed Microsoft AD, AWS Directory Service for Microsoft Active Directory is powered by an actual Microsoft Windows Server Active Directory (AD), managed by AWS in the AWS Cloud.
It enables us to migrate a broad range of Active Directory–aware applications to the AWS Cloud. AWS Managed Microsoft AD works with Microsoft SharePoint, Microsoft SQL Server Always On Availability Groups, and many .NET applications.
It also supports AWS managed applications and services including Amazon WorkSpaces, Amazon WorkDocs, Amazon QuickSight, Amazon Chime, Amazon Connect, and Amazon Relational Database Service for Microsoft SQL Server (Amazon RDS for SQL Server, Amazon RDS for Oracle, and Amazon RDS for PostgreSQL).
AD Connector is a proxy service that provides an easy way to connect compatible AWS applications, such as Amazon WorkSpaces, Amazon QuickSight, and Amazon EC2 for Windows Server instances, to your existing on-premises Microsoft Active Directory.
With AD Connector , you can simply add one service account to your Active Directory. AD Connector also eliminates the need of directory synchronization or the cost and complexity of hosting a federation infrastructure.
Amazon Cognito User Pools
Amazon Cognito is a user directory that adds sign-up and sign-in to your mobile app or web application using Amazon Cognito User Pools.
Amazon Cloud Directory
Amazon Cloud Directory is a cloud-native directory that can store hundreds of millions of application-specific objects with multiple relationships and schemas. Use Amazon Cloud Directory if you need a highly scalable directory store for your application’s hierarchical data.
In this guide , As we are going to setup AWS managed Active directory service , We need the following.
Once we have setup the VPC with the subnets and the Windows EC2 instance running within the VPC.
We will go ahead and create a active directory service in AWS and join the windows EC2 instance with it.
Creating Active Directory AWS
Login to AWS console , Under Security, Identify, & compliance , Choose Directory Service
Select AWS Managed Microsft AD & Choose Set up directory
From the Directory types , Choose AWS managed Microsoft AD
and click Next
Microsoft AD is available in two editions.
Standard Edition : Best suite for small to medium sized businesses with 1 GB of storage for directory objects , upto 30,000 objects.
Enterprise Edition : Suitable for Large businesses with 175 GB of storage for directory objects , up to 500,000 objects.
Choose the edition as per the requirement.
For Directory DNS name , We need to provide a fully qualified domain name which resolves within the VPC only.
These DNS names doesnt need to be publicly available.
Optionally , We can provide a name for the networking service (NetBIOS name) , If we dont provide , It will automatically pick the first part of the Directory DNS name.
We need to setup admin password.
Choose the VPC and the subnets , Where the directory service should be created.
Click Next , Review the settings and click Create directory
It will take up to 20-45 minutes.
Now the status of the Directory service is Active
if you click the Directory ID , We can find the details such as DNS name , DNS address etc.
Lets go ahead and join the instance into the domain.
Joining Instance To The Domain
I assume that you have windows EC2 instances running , if non , Launch it by referring this article
Login to the EC2 instance using RDP client as a Local administrator.
Now we are going to join this windows EC2 instance to the domain name of the Directory service.
For this , First we need to configure the DNS of the windows EC2 instance with the DNS addresses of the Directory service.
To do that , In the search box , type ncpa.cpl
We can see the network adaptor.
Double click on that , and then choose Properties
Choose Internet Protocol version 4 (TCP/IPv4) and then click Properties.
Check , Use the following DNS server addresses, Type the DNS addresses of the Directory service.
Click Okay and close the network tabs.
To join the instance to the domain , Open the File explorer.
Right click on This PC and then choose Properties
We can see that this instance is not in any domain , To join this instance to the domain , Click Change settings
and click Change , Choose Member of Domain , Provide the DNS name of the directory and Click OK
It asks us for the Admin username and password.
The user name is Admin and the password is , The password we have configured while creating the Directory service and then click Okay
You will be greeted as,
Now that we have joined the Windows EC2 instance to the Active directory Domain Service.
We must restart the windows EC2 instance for the changes to take effect.
Once the instance is available , We can directly login as the Domain Admin instead of the Local Administrator.
Now we can see that this instance is the member of the domain.
How To Manage Active Directory Services?
From the AWS Directory services console , We don’t have any options to mange user , groups , computers of the active directory.
So for that we are going to use the same Windows EC2 instance to manage the active directory services remotely.
Search for server manager and Open the Server Manager
Click Add Roles and features
In the Before You Begin page , Click Next
For the Installation type , Choose Role-based or feature-based installation and click Next
For the Server Selection , We are going to install Roles and features in the same windows server.
and click Next
For Server Roles , We are not going to install any roles here.
Click Next , For Features
Click Remote Server Administration tools , and then click Role Administration tools
Check AD DS and AD LDS tools
Also we should select the active directory related services.
and click Next and click Install
The installation of features has started.
Now the installation is successfully completed and click Close
Or In the Server Roles , We can simply choose Active Directory Domain Services , Click Next and Install.This will install all the required services for the directory services.
Click the Windows icon , Under Administrative tools , We can see all the required services to manage the Directory services remotely.
Click Active Directory Users and Computers
You will see the following screen.
And admin is the only user available in this domain and we have logged into to AD as a Domain Administrator.
AWS recommends us not to delete the Admin user.
From here , We can create and manage users and groups and computers within the AWS Managed Directory Services.
We have successfully implemented AWS Managed Directory services and we have joined an windows EC2 instance with the Domain and we have logged into Windows instance as a Domain Administrator.
Hope you find it helpful.Please check out my other publications.