Author: Dean Suzuki (Last Updated: 8/23/20)
In AWS Managed Microsoft AD, the Domain Controllers (DC’s) are managed by AWS. You cannot login to the DC’s using Remote Desktop Protocol (RDP). In order to manage the data within the AWS Managed Microsoft AD (e.g. users, computers, group policy, sites, sitelinks, DNS etc), you need to create a management server and perform all the domain management operations from this server. This management server can be placed anywhere on the network as long as necessary network connectivity exist between the Domain Controllers and the management server.
In this lab, you will deploy a management server in your VPC and install the Active Directory tools to manage your AWS Managed Microsoft AD. You will also experience the seamless domain join feature. This feature automatically joins the new management server to AD as a domain member when you deploy it. After this lab, your environment will look like below.
For more information on AWS Directory service, please visit our developers guide.
For the Instance configuration,
a. For Network, select your WinVPC-VPCStack
b. For Subnet, select Private subnet 1A.
c. For Domain join directory, select corp.example.com. Notice that we can have the new EC2 instance automatically joined to the AD join when we create it.
d. For IAM role, select DomainJoinEC2. To do the domain join, we need to assign a role to the instance that enables this operation.
Important: For the AD auto domain join feature to work, the two prior step must be completed. In prior runs of this training, this is a common step that attendees have missed and have had problems in future steps. Please verify that you completed the two prior steps.
e. Click “Next: Add Storage”.
Leave all the values in the storage page as default. Click “Next: Add Tags”.
Click on “Add tag” and enter “Name” for the key and “AD Management Server - <initials>” for the value. For EC2 instances, the name field is important to set since this name field value is used to identify the server in the list of EC2 instances. Click “Next: Configure Security Group”.
Click on “Create a new security group”.
a. For Security Group name, enter “Internal Windows SG”
b. For Description, enter a description of the security group usage.
c. For the RDP rule, go to the network address field and end “10.0.0.0/16” This is the network address of the VPC that we just created and thus we are only allowing host on this network to be able to RDP into this server.
Once you verify all the details on this page, click on “Review and Launch”.
Review the settings, click “Launch”.
Select the key pair that you created in Lab 1 (WinLab-KeyPair). If you didn’t create a key pair earlier, then you will need to select “Create a new key pair.” In the picture below, I show the key pair that we created in an earlier lab.
Click the “I acknowledge …” checkbox and then click “Launch Instances”
Click “View Instances”
You will next login to the AD management server using Remote Desktop Protocol (RDP) and install the Active Directory Tools. The AD Management server doesn’t allow RDP connection from the Internet but only from hosts inside the VPC subnet. To RDP to the AD management server, you will first need to establish a RDP connection to the RDGW server which is the public subnet and is considered a bastion host/jump server. Then from the RDGW server, you will establish a RDP connection to the AD management server which resides in the private subnet.
If you connecting from a Windows computer, RDP should be already present. If you are using a Mac, please download the RDP client here.
On the credentials screen,
a. For user name, enter corp\admin. Corp is the NetBIOS name of the domain and Admin is the administrator account created in AWS Managed Microsoft AD.
b. For the password, enter the password that you typed in when you created the AWS Managed Microsoft AD.
Notice that you are able to login with an AD domain account. Open a Windows Explorer window. Right click “This PC” and select Properties. Notice that the computer has been joined to the AWS Managed Microsoft AD that you created earlier. This is the auto AD join feature that we selected when we created the AD management server.
Go to the Windows icon in the lower left corner, type “Server Manager” to open the “Server Manager Dashboard”. Click “Add roles and features”.
Click “Next” (4 times) till you get to the Select Features screen. Select the “Remote Server Administration Tools”. In the Role Administration Tools, also select “DNS Server Tools”. Click “Next” a couple times, and click “Install” to start the install.
Once you finish installing the AD DS & DNS tools, follow the same process to install the Group Policy Management tool as shown.
Once the installation is completed, you can close the Server Manager. The Active Directory tools can be found under Control Panel -> System and Security -> Administrative Tools as follows. You can open any of these Active Directory tools and start administering your AWS Managed AD. Windows automatically uses the logged on user for these tools. If you want to use a different user, either use “runas” or login to the server with different credentials
Open the Active Directory Users and Computers tool. Note the domain name for the AD forest. Also note that there is an OU called AWS Delegated Groups. When you use AWS Managed Microsoft Active Directory, the admin account that you are given is not an AD domain administrator. AWS creates a set of AD groups that have been delegated administrative rights to perform certain tasks. These groups are listed in this OU.
Also note that there is an OU with the same name as the NetBIOS name of the AD forest (e.g. corp). Go to this OU and explore its contents. This OU is where you can create your users and create additional sub-OU’s.
You have successfully launched a management server that you can use to administer your AWS Managed Microsoft AD. For high availability purposes, you can launch multiple management servers in different availability zones as required.
In recap in this lab, you learned:
What is an IAM role and what it is used for
How to create an EC2 Windows instance and auto join it to an Active Directory domain
How to use the jump server/RDGW infrastructure pattern. In this pattern, you RDP into a jump server and then from the jump server, you can access the resources in your private subnets.
How to administer AWS Managed Microsoft AD.
Remember that you are not given Domain Admins rights. Instead, a set of delegated AD groups have been created that have been given the permissions to perform various domain operations. Add the users that you want to perform the various domain operations to those AD groups.
You create your users in the OU that has been created and given the name matching the Netbios name of your domain (e.g. corp in our lab)
Please reflect and ask the lab facilitator any questions that you have.