Creating Self-Managed AD on AWS
In today’s digital landscape, having a strong system to organize and manage user accounts is crucial for businesses. Amazon Web Services (AWS) offers a powerful platform for setting up such systems. This article focuses on creating a reliable self-managed Active Directory (AD) system on AWS. By spreading out two AD Domain Controllers across multiple availability zones, we ensure that our system stays up and running even if one part fails. Using basic Amazon servers and following Microsoft’s rules, we’ll walk through the setup process step by step. This guide aims to help administrators build and maintain a sturdy AD system on AWS.
AWS Environment Preparation
This guide will focus on creating a self-managed Active Directory Forest consisting of primary and secondary domain controllers distributed across two availability zones to ensure high availability. The architectural diagram below shows the AD Forest spanned across two availability zones in addition to two public instances. One serves as a bastion host allowing the management of the private domain controllers, while the other instance is a machine created for joining the Active Directory.
EC2 Servers Setup
The EC2 instances hosting the Active Directory configuration will be provisioned with the Microsoft Windows Server 2022 Base AMI, configured within VPC settings that restrict inbound internet connectivity. The security group assigned to the Domain Controller must allow specific ports for inbound connectivity as per Microsoft’s official requirements, including:
The public EC2 instances use the same AMI as the domain controller, while the bastion host permits inbound RDP connectivity. This bastion host serves to configure and manage the domain controllers via the Remote Desktop Connection Manager, allowing swift and seamless server and user switching.
Primary Domain Controller Configuration
Throughout this guide, server configuration will be executed using PowerShell commands. However, the same actions can be done using the GUI interface. The setup will start by installing Active Directory Domain Services feature along with the management tools:
Install-WindowsFeature AD-Domain-Services -IncludeManagementToolsRun the following command to ensure the feature has been installed successfully:
Get-WindowsFeature -Name AD-Domain-ServicesThe output shows the installation is done successfully.
The next step will be configuring the Active Directory Forest, in addition to installing DNS Server Service. We will assume that the domain name we are targeting is corp.local.
$domainName = "corp.local"
Install-ADDSForest -DomainName $domainName -InstallDNSRunning this command will prompt you to create a safe mode administrator password, which is different from the AD administrator password. This password is only used in case of AD recovery.
Once the installation is completed a machine restart will be needed. To verify the setup is executed successfully, we need to log in to the instance as an AD administrator user and this is done by updating the login details to use the following user with the same password.
After the machine is restarted run the below command to confirm the machine is part of the Domain Controller (Primary Dns Suffix) and that the DNS server is configured to the local host (DNS Servers).
ipconfig /allSecondary Domain Controller Configuration
The first step of configuring an additional domain controller will also include installing AD Domain Services features along with the management tool and validating the installation.
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Get-WindowsFeature -Name AD-Domain-ServicesThe next step will be to configure the DNS IP address of this Domain Controller to point to the primary domain controller. This is achieved by running the below command to get the interface index of the elastic network adapter.
Get-NetIPInterfaceThe command shows that the interface index of the Ethernet is 2 which will be used in the subsequent command to set the DNS server address to the primary Domain controller.
Set-DnsClientServerAddress -InterfaceIndex 2 -ServerAddresses ("{{primary-dc-ip}}")After that, we need to configure this instance as an additional domain controller for our domain.
$domainName = "corp.local"
$domainUser = "corp\Administrator"
$HashArguments = @{
Credential = (Get-Credential $domainUser)
DomainName = $domainName
InstallDns = $true
}
Install-ADDSDomainController @HashArguments This will prompt you to provide the domain administrator's password.
Once the installation is complete, a restart will be required for the server. The same validation steps that were applied earlier to the primary Domain Controller can be followed to verify the setup of this additional Domain Controller.
Configure DNS Server on Domain Controllers
This step focuses on configuring the primary Domain Server to point to itself and the secondary Domain Server to point to the other Domain Controller. To achieve that you need to run the following commands in each server to set the DNS server values.
#get interface index
Get-NetIPInterface
#set dns servers on first dc
Set-DnsClientServerAddress -InterfaceIndex {{interface-index}} -ServerAddresses ("{{primary-dc-ip}}", "{{secondary-dc-ip}}")#get interface index
Get-NetIPInterface
#set dns servers on secondary dc
Set-DnsClientServerAddress -InterfaceIndex {{interface-index}} -ServerAddresses ("{{secondary-dc-ip}}", "{{primary-dc-ip}}")Finally to validate the setup of the Domain Controllers, run the following commands to open the DNS management tools and Domain Controller management tools.
dsa.msc
dnsmgmt.mscThe Domain Controller management tools display the active Domain Controllers operating within the AD forest.
While the DNS manager shows two forward lookup records for the two Domain Controllers pointing to the corresponding IP addresses.
Join Active Directory DC
Enabling an EC2 instance to join an Active Directory domain involves two steps: firstly, updating the DNS server of the machine to utilize the Domain Controller, and secondly, updating the domain value to reference the Active Directory domain. To update the domain server on the machine, the process is performed similarly using the commands previously introduced.
Get-NetIPInterface
Set-DnsClientServerAddress -InterfaceIndex {interface-index} -ServerAddresses ("{{primary-dc-ip}}", "{{secondary-dc-ip}}")Then from the Server Manager dashboard, the domain needs to be updated to the AD Domain, which will prompt you to enter the user credentials of the Active Directory.
In conclusion, establishing a robust Active Directory infrastructure on AWS is essential for effective user management. By following the steps outlined in this guide, administrators can ensure high availability and reliability, laying a strong foundation for secure and efficient operations within their organizations.
