Getting Started with Active Directory Management in AWS
About a year ago, I wrote a series of blog posts in which I explained how to deploy a cloud-based Active Directory environment to the AWS cloud with just a few clicks.
As easy as the Active Directory deployment process might be, however, I wanted to revisit the topic because my original article series did not address the question of what to do next, once the Active Directory is up and running. After all, the AWS console provides a few basic options such as setting up trust relationships or adding a certificate, but it doesn't provide any clear guidance on how to start setting up user accounts.
Unfortunately, you can't set up Active Directory users from within the AWS Directory Service console. Instead, you will have to join an EC2 instance to the newly created Active Directory domain and then use that instance for your Active Directory management tasks.
To get started, open the EC2 console and click the Launch Instance button. As the console guides you through the instance creation process, make sure that you choose a Windows base image. Upon doing so, you will be taken to the Choose Instance Type screen. There isn't anything special that you need to do here, but there are a few things that you will need to pay attention to on the next screen (Step 3: Configure Instance Details).
The first thing that you must do on this screen is to make sure that you select the same VPC as was used for the Directory Service. You are also going to need to choose a subnet that aligns with your Active Directory environment. The Configure Instance Details screen also includes a Domain Join Directory drop-down option. You will need to select the appropriate domain name from the drop-down.
One last thing that you will need to do before moving on is to select an IAM role that has the AmazonSSManagedInstanceCore and AmazonSSMDirectoryServiceAccess managed policies attached to it. If you do not have such a role, you can click the Create New IAM Role link to create the necessary role. You can see what these options look like in Figure 1.
The rest of the instance deployment process is the same as for any other instance that you might create. Just make sure that you allow RDP access to the instance.
Once the new instance has been created, try logging in using an RDP connection and your domain admin credentials. Don't forget that AWS uses a slightly different naming convention than what you might be used to. In a native Windows Server environment, the domain admin's username would be domain name\Administrator (for example: poseylab\Administrator). In AWS however, the domain admin's name is Admin, not Administrator (example: poseylab\Admin). Also, make sure that you enter the domain credentials (the default password that you provided when you created the Active Directory environment), and not the password that corresponds to the instance that you just created.
If you are unable to log into the instance using the domain admin credentials, then it is possible that the IAM account that you supplied during the instance creation process lacked the necessary permissions to join the instance to the domain. If that happens, then the best thing that you can do is to terminate the instance and create a new one. This time, rather than choosing an existing IAM account, click the option to create a new account.
Even after you have managed to log into your Active Directory domain from the newly created instance, there is one more thing that you will have to do before you will be able to manage your Active Directory environment from the instance. You are going to need to install the required management tools. To do so, open Server Manager and then choose the Add Roles and Features command from the Manage menu. This will cause Windows to launch the Add Roles and Features wizard. Click your way through the wizard, accepting the defaults, until you reach the Select Server Roles screen. Select the Active Directory Domain Services checkbox and shown in Figure 2, and then click the Add Features button. Now, just click Next a few times, followed by Install to complete the process. It is worth noting that this does not cause the instance to become a domain controller, nor is there a requirement for you to convert the instance to a domain controller later on.
When the wizard finishes, you will be able to access the Active Directory Users and Computers console (and other Active Directory tools) from Server Manager's Tools menu, as shown in Figure 3. You can use these tools to manage your AWS based Active Directory database, as shown in Figure 4.
Brien Posey is a 21-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.