Step 3: Administering AD

Author: Dean Suzuki (Last Updated: 8/23/20)

Abstract

In AWS Managed Microsoft AD, the Domain Controllers (DC’s) are managed by AWS. You cannot login to the DC’s using Remote Desktop Protocol (RDP). In order to manage the data within the AWS Managed Microsoft AD (e.g. users, computers, group policy, sites, sitelinks, DNS etc), you need to create a management server and perform all the domain management operations from this server. This management server can be placed anywhere on the network as long as necessary network connectivity exist between the Domain Controllers and the management server.

In this lab, you will deploy a management server in your VPC and install the Active Directory tools to manage your AWS Managed Microsoft AD. You will also experience the seamless domain join feature. This feature automatically joins the new management server to AD as a domain member when you deploy it. After this lab, your environment will look like below.

For more information on AWS Directory service, please visit our developers guide.

Section 1: Create IAM role for seamless domain join

  1. Login to your AWS Account. In the find services field, search for IAM service.
  2. Select Roles, and click on “Create Role”.
  3. Select the AWS service.
  4. Select EC2 as shown below and click on “Next: Permissions”.
  5. Under policies, search for “AmazonEC2RoleforSSM”, select this policy and click “Next: Tags”.
  6. Enter “CreatedBy” for the Key and for value, enter your name. Tags are great resource to help you organize and keep track of AWS resources. Before deploying a large AWS implementation, you should design a Tag strategy for your company. Click “Next: Review”.
  7. For the role name, use “DomainJoinEC2” and click on “Create Role” to complete the role creation.

Section 2: Deploying the Management Server

  1. Login to the AWS Console and go to the EC2 console. In the find services search box, type EC2.
  2. Before you begin the lab, make sure you are in the “N. Virginia” region (check the upper right hand corner of the screen). For this lab, you will deploy the management server in the same VPC as Managed AD.
  3. Click on “Launch Instance”.
  4. For the Amazon Machine Image (AMI), search for the newest Microsoft Windows Server base image (e.g. Microsoft Windows Server 2019 Base) and press Select.
  5. For the Instance type, please select “t2.medium” for the management server. Click “Next: Configure Instance Details” after you select the instance type.
  6. For the Instance configuration,

    a. For Network, select your WinVPC-VPCStack

    b. For Subnet, select Private subnet 1A.

    c. For Domain join directory, select corp.example.com. Notice that we can have the new EC2 instance automatically joined to the AD join when we create it.

    d. For IAM role, select DomainJoinEC2. To do the domain join, we need to assign a role to the instance that enables this operation.

    Important: For the AD auto domain join feature to work, the two prior step must be completed. In prior runs of this training, this is a common step that attendees have missed and have had problems in future steps. Please verify that you completed the two prior steps.

    e. Click “Next: Add Storage”.

  7. Leave all the values in the storage page as default. Click “Next: Add Tags”.

  8. Click on “Add tag” and enter “Name” for the key and “AD Management Server - <initials>” for the value. For EC2 instances, the name field is important to set since this name field value is used to identify the server in the list of EC2 instances. Click “Next: Configure Security Group”.

  9. Click on “Create a new security group”.

    a. For Security Group name, enter “Internal Windows SG

    b. For Description, enter a description of the security group usage.

    c. For the RDP rule, go to the network address field and end “10.0.0.0/16” This is the network address of the VPC that we just created and thus we are only allowing host on this network to be able to RDP into this server.

  10. Once you verify all the details on this page, click on “Review and Launch”.

  11. Review the settings, click “Launch”.

  12. Select the key pair that you created in Lab 1 (WinLab-KeyPair). If you didn’t create a key pair earlier, then you will need to select “Create a new key pair.” In the picture below, I show the key pair that we created in an earlier lab.

  13. Click the “I acknowledge …” checkbox and then click “Launch Instances

  14. Click “View Instances

Section 3: Logging onto the AD Management Server

You will next login to the AD management server using Remote Desktop Protocol (RDP) and install the Active Directory Tools. The AD Management server doesn’t allow RDP connection from the Internet but only from hosts inside the VPC subnet. To RDP to the AD management server, you will first need to establish a RDP connection to the RDGW server which is the public subnet and is considered a bastion host/jump server. Then from the RDGW server, you will establish a RDP connection to the AD management server which resides in the private subnet.

If you connecting from a Windows computer, RDP should be already present. If you are using a Mac, please download the RDP client here.

  1. Go to the EC2 console and select the AD Management server that you created and in the Description box below, look for the Private IP address of the server. Please note that your private IP address maybe different from the one shown below. You many need to wait till the Instance State changes to running.
  2. Follow the steps in Lab 1: Connecting to the RD Gateway Server to establish a remote desktop server to the RDGW server. This server serves as our jump box/bastion host to get into our environment.
  3. Once you are logged into the RDGW server, establish a remote desktop connection to the management server that you just created. On the RDGW server, type mstsc to launch the RDP connection client.
  4. Enter the private IP address of the AD Management server that you just created in the RDP connection window.
  5. On the credentials screen,

    a. For user name, enter corp\admin. Corp is the NetBIOS name of the domain and Admin is the administrator account created in AWS Managed Microsoft AD.

    b. For the password, enter the password that you typed in when you created the AWS Managed Microsoft AD.

  6. Notice that you are able to login with an AD domain account. Open a Windows Explorer window. Right click “This PC” and select Properties. Notice that the computer has been joined to the AWS Managed Microsoft AD that you created earlier. This is the auto AD join feature that we selected when we created the AD management server.

  7. Go to the Windows icon in the lower left corner, type “Server Manager” to open the “Server Manager Dashboard”. Click “Add roles and features”.

  8. Click “Next” (4 times) till you get to the Select Features screen. Select the “Remote Server Administration Tools”. In the Role Administration Tools, also select “DNS Server Tools”. Click “Next” a couple times, and click “Install” to start the install.

  9. Once you finish installing the AD DS & DNS tools, follow the same process to install the Group Policy Management tool as shown.

  10. Once the installation is completed, you can close the Server Manager. The Active Directory tools can be found under Control Panel -> System and Security -> Administrative Tools as follows. You can open any of these Active Directory tools and start administering your AWS Managed AD. Windows automatically uses the logged on user for these tools. If you want to use a different user, either use “runas” or login to the server with different credentials

  11. Open the Active Directory Users and Computers tool. Note the domain name for the AD forest. Also note that there is an OU called AWS Delegated Groups. When you use AWS Managed Microsoft Active Directory, the admin account that you are given is not an AD domain administrator. AWS creates a set of AD groups that have been delegated administrative rights to perform certain tasks. These groups are listed in this OU.

  12. Also note that there is an OU with the same name as the NetBIOS name of the AD forest (e.g. corp). Go to this OU and explore its contents. This OU is where you can create your users and create additional sub-OU’s.

Congratulations!

You have successfully launched a management server that you can use to administer your AWS Managed Microsoft AD. For high availability purposes, you can launch multiple management servers in different availability zones as required.

In recap in this lab, you learned:

  • What is an IAM role and what it is used for

  • How to create an EC2 Windows instance and auto join it to an Active Directory domain

  • How to use the jump server/RDGW infrastructure pattern. In this pattern, you RDP into a jump server and then from the jump server, you can access the resources in your private subnets.

  • How to administer AWS Managed Microsoft AD.

    • Remember that you are not given Domain Admins rights. Instead, a set of delegated AD groups have been created that have been given the permissions to perform various domain operations. Add the users that you want to perform the various domain operations to those AD groups.

    • You create your users in the OU that has been created and given the name matching the Netbios name of your domain (e.g. corp in our lab)

Please reflect and ask the lab facilitator any questions that you have.