Step 2: Deploying Active Directory

Author: Dean Suzuki (Last Updated: 8/23/20)

Abstract

Now that you have a network infrastructure in place, the next step is to deploy Microsoft Active Directory into the environment. There are a couple options for running Active Directory (AD) in AWS. One option is to create Windows EC2 instances and promote them to be domain controllers. In this lab, you will get experience deploying AWS Managed Microsoft Active Directory.

AWS Managed Microsoft Active Directory (AD) is AWS’s fully managed Active Directory service. AWS will be responsible for maintaining the AD domain controllers (patching, backing up). The architecture is shown below.

When you launch AWS Managed Microsoft AD, AWS creates a pair of domain controllers in a new AD forest. The domain controllers run in different Availability Zones in a region of your choice. The domain controllers operate in an AWS Managed VPC and an elastic network interface (ENI) is placed in two availability zones in your VPC.

With AWS Managed Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure a trust relationship between AWS Managed Microsoft AD in the AWS Cloud and your existing on-premises Microsoft Active Directory, providing users and groups with access to resources in either domain, using single sign-on (SSO).

For more information on AWS Directory service, please visit our developers guide.

Section 1: Deploying AWS Managed Active Directory (MAD)

In this module, you will deploy AWS Managed Microsoft Active Directory.

  1. Login to the AWS Console and navigate to the Directory Service console. In the find a service search field, type Directory Services.
  2. Make sure you are in the “N. Virginia” region by checking on the top right corner in the AWS Console.
  3. If this is the first time you are opening the Directory Services in this region, you’ll be prompted with a welcome screen. Select “AWS Managed Microsoft AD” and click on Set up directory.
  4. If you’ve already worked with the Directory Service in this region, you may see the screen below. If you do, please click on Set up directory.
  5. In the next screen, select “AWS Managed Microsoft AD” and click Next.
  6. In the Enter Directory Information screen, enter the following information:

    a. For Edition: select Standard Edition. Note, we provide a brief outline of the differences between the Standard Edition and Enterprise Edition and rough estimates of the costs.

    b. Directory DNS name: corp.example.com [Make this DNS name unique from your other directories so you can establish trusts in the future if required.]

    c. Directory NetBIOS name: corp. [Make this NetBIOS unique from your other directories as well if you need establish trusts in the future if required.]

    d. Directory Description: This is a managed AD on AWS for the domain corp

    e. Admin password: <use a password you can remember. You will use this in future labs>. Please also review the password complexity requirements outlined on the screen.

    f. Confirm password: <confirm the password again>

    g. Click Next.

  7. For the VPC and subnets, please select the WinVPC-VPCStack that you created in Lab 1 and select the two private subnets Private subnet 1A and Private subnet 2A.

  8. After selecting the VPC and Subnets, Click Next.

  9. On the Review & create screen, review the settings and click on Create Directory.

  10. The directory will take about 20 minutes to create. During this time, AWS is provisioning two Windows servers, and promoting them to be Active Directory domain controllers for the AD forest that you specified. This AD forest will be a new AD forest.

  11. This is a good time to take a break as the creation process will take time.

  12. The process will be complete when you see the status field turn to Active. Once the directory is created, you can see the details by clicking on the Directory ID. The two DNS IP addresses that are listed are the IP addresses of the elastic network interfaces (ENI) that have been placed in your availability zones to communicate to the AWS Managed Microsoft AD Domain Controllers.

Congratulations!

You have successfully created a new AWS Managed Microsoft Active Directory (AD) in your environment.

In recap in this lab, you learned:

  • Two common options for running Active Directory in AWS: AD on EC2 or AWS Managed Microsoft AD.
  • How to create an AWS Managed Microsoft AD

Please ask your lab facilitator what are the benefits of using AWS Managed Microsoft AD.