How To Create an AWS-Based Active Directory Forest

Brien Posey shows how to create a cloud-based Active Directory, and how to join an AWS virtual machine instance to the Active Directory environment that's been created.

Active Directory has been the definitive mechanism for authentication and access control on Microsoft networks for nearly two decades. Not surprisingly, Amazon Web Services (AWS) lets you create a Microsoft Active Directory in the AWS cloud. In this article, I'll show you how to create a cloud-based Active Directory, and how to join an AWS virtual machine instance to the Active Directory environment that's been created.

Begin the process by selecting the Directory Service option from the list of available AWS services (it's located in the Security, Identity, and Compliance section). This will take you to the AWS Directory Service screen. Locate the Microsoft AD section, which you can see in Figure 1, and click the Set Up Directory button.

[Click on image for larger view.] Figure 1. Click the Set Up Directory button, located in the Microsoft AD section.

At this point, you'll be taken to the Directory Details screen, which you can see in Figure 2. This screen requires you to enter a few different pieces of information. For starters, you'll need to choose whether you want to base your Active Directory environment on the Standard or Enterprise edition of Windows Server. You'll also need to provide a directory DNS name, a NetBIOS name, a password and an optional description.

[Click on image for larger view.] Figure 2. This is what the Directory Details screen looks like.

Once you've entered the basic directory details, you'll have to specify information about your Virtual Private Cloud (VPC). Specifically, you'll need to select a VPC from the dropdown list (or create a new VPC), and then select subnets in two separate availability zones.

Click Next, and you'll see a summary of the information that you entered. You'll also see a warning message telling you that charges will begin to accrue as soon as the directory is active. Click the Create Microsoft AD button to begin the Active Directory creation process. It's worth noting that it takes about half an hour to create the directory.

As you can see, AWS makes it easy to create a cloud-based Active Directory environment. But how can you join an AWS instance to the Active Directory? After all, in an on-premises environment, the endpoint that's being joined to the Active Directory domain must be able to resolve the domain name at the DNS level, and there must be a network path to a domain controller.

AWS exposes a series of domain join settings during the EC2 virtual machine instance creation process. If you look at Figure 3, you can see that I'm currently on Step 3 of the instance creation process. In order to join the instance that I'm creating to my Active Directory domain, there are a few things that I need to do.

[Click on image for larger view.] Figure 3. You can domain join an EC2 instance as a part of the instance creation process.

First, I'll need to select the correct network and subnet. As you may recall, the Active Directory domain that I created was bound to a specific network and subnet. I'll need to choose a network and subnet that can communicate with the Active Directory forest.

Next, I'll select the Active Directory forest from the Domain Join Directory dropdown, which you can see in the Figure 3.

It's relatively easy to join an EC2 instance to an AWS based Active Directory. It is worth noting, however, that AWS bills you for the entire time that your Active Directory environment is active (unless you're eligible for free use). As such, if you want to play with this technique in a lab environment, it's a good idea to delete the directory when you're done. To do so, simply go to the Directories screen, select your Active Directory, and then click on the Delete button shown in Figure 4. Upon doing so, you'll be prompted to confirm the name of the directory that you want to delete, and then the directory will be removed.

[Click on image for larger view.] Figure 4. Go to the Directories screen to delete the Active Directory environment.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


Subscribe on YouTube