What Are Some Good Practices When Deploying Directory Services? Start A New Thread

Seamlessly joining Windows EC2 instances in AWS to a Microsoft Active Directory domain is a common scenario, especially for enterprises building a hybrid cloud architecture. With AWS Directory Service, you tin target an Agile Directory domain managed on-bounds or within AWS. How to Connect Your On-Premises Active Directory to AWS Using AD Connector takes you through the process of implementing that scenario.

In this blog mail service, I will first show yous how to get the Amazon EC2 launch sorcerer to pick up your custom domain-bring together configuration by default—including an organizational unit—when launching new Windows instances. I besides volition evidence you how to enable an EC2 Auto Scaling group to automatically join newly launched instances to a target domain. The Amazon EC2 Simple Systems Manager (SSM) plays a central role in enabling both scenarios.

Prerequisites and assumptions

• Y'all take an Active Directory domain managed in AWS or an on-premise domain exposed via AD Connector.
• Y'all have properly installed and configured the AWS CLI on your figurer.
• This guide applies to Windows-based instances only.

Part i: Change the default domain-join configuration in the EC2 launch wizard

Showtime, let's go to know SSM. SSM is a service that enables you to remotely manage the configuration of your Windows EC2 instances. Through SSM, you can remotely run administrative scripts or commands on your Windows instances.

SSM is configured via JSON documents. An SSM JSON certificate lists commands you desire to run on an instance, such equally aws:domainJoin, which instructs SSM to join a Windows EC2 case to a domain.

The post-obit is a sample SSM certificate with an aws:domainJoin command configuration. Based on this sample, you can author an SSM document that contains your own domain-join configuration, including the organizational unit to which you want the server to exist added. (Throughout this blog post, placeholder values are presented in red text . Y'all should replace those values with your AWS information.)

{         "schemaVersion": "1.0",         "description": "Sample configuration to join an example to a domain",         "runtimeConfig": {            "aws:domainJoin": {                "properties": {                   "directoryId": "            d-1234567890          ",                   "directoryName": "            test.case.com          ",                   "directoryOU": "            OU=test,DC=instance,DC=com          ",                   "dnsIpAddresses": [                      "            198.51.100.ane          ",                      "            198.51.100.2          "                   ]                }            }         } }

In this configuration document:

• directoryIdis the ID of a directory (or AD Connector) y'all created in AWS Directory Service.
• directoryNameis the name of the domain (for example, case.com).
• directoryOUis the organizational unit for the domain.
• dnsIpAddressesincludes the IP addresses for the DNS servers you specified when you created your directory (or AD Connector) in Directory Service.

Only what is the connection between SSM and the EC2 launch magician? The get-go time you specify a domain in the EC2 launch wizard, the wizard generates the domain's default SSM certificate. The default SSM document contains the necessary domain-join configuration, but without the directoryOU property. The launch magician names a default SSM document using this convention: awsconfig_Domain_ <directoryId> _ <directoryName> . Equally soon every bit an instance you launch from the wizard is upwardly and running, the magician associates the specified domain'due south default SSM document with it. As a part of the example's boot-up process, the EC2Config service applies the SSM document associated with your instance.

Notes: The commands or scripts specified in SSM documents run with administrative privilege on your instances because the EC2Config service runs in the LocalSystem account on Windows. For more information about this security consideration, see Managing Windows Instance Configuration.

The domain-bring together command in the default SSM document is executed exactly once as part of the case's start kick-upwards process. The command is not executed once again when an example is stopped and started, or when the instance reboots.

Replace the default SSM certificate

The post-obit steps evidence how to replace the default SSM document for your domain with your own SSM document that includes the directoryOU property. Earlier starting, ensure you lot take fulfilled the prerequisites for using SSM, including configuring an AWS Identity and Access Management (IAM) role, which allows your launched EC2 instances to communicate with the SSM API. Also, ensure that you lot have installed and configured the AWS CLI on a computer so that you can execute the AWS CLI commands that follow. Make sure the effective AWS region for your AWS CLI setup is the same region where your target Active Directory domain is configured and the same region where yous will launch your Windows EC2 instances.

To replace the default SSM document:

1. Author a new SSM certificate based on the JSON sample shown in a higher place. Make sure y'all include the organizational unit of measurement that you want to be the default for your target domain in the EC2 launch wizard. Relieve the document to a file for reference in later steps.
2. Verify whether the default SSM certificate exists for your domain past running the following control.

If the default document for your target domain does non exist, the command output volition indicate an "Invalid Document" error message. This is merely an indication that you take never attempted to launch EC2 instances from the magician to join the target directory, so the default SSM document for the directory has non been created yet. In such a example, you should skip to Step 5.

If the default document exists, information technology is because you previously launched instances from the wizard to join a target domain. In this example, the command produces JSON. The Content attribute represents the compact JSON content of the default SSM document created by the magician. Such a default SSM certificate for a domain includes the aws:domainJoin command properties directoryId , directoryName , and dnsIpAddresses. Even so, it leaves out directoryOU—the organizational unit—as shown in the following JSON from the Content attribute.

{         "schemaVersion": "i.0",         "description": "Automatic domain-join configuration created by the EC2 console.",         "runtimeConfig": {            "aws:domainJoin": {                "properties": {                   "directoryId": "            d-1234567890          ",                   "directoryName": "test.example.com",                   "dnsIpAddresses": [                      "            198.51.100.1          ",                      "            198.51.100.2          "                   ]                }            }         } }

Save the command output to a file (for example, awsconfig_Domain_<directoryId> _ <directoryName> .json) for time to come reference.

3. Run the following command to meet whether the default SSM document is already associated with any instances.

If yous have never launched instances to bring together your domain from the magician, the command output will exist an empty list of associations. Otherwise, the command returns a listing of all the instances that were launched to join your domain from the wizard. Save the output to a file for your reference.

4. Delete the electric current default SSM document. When yous delete an SSM document, the document and all its associations with instances are deleted. Notation that deleting the default SSM certificate does not touch or alter a running case that is associated with it.

Run the following command to delete the default document.

5. Finally, upload the SSM certificate y'all authored in Step i as the default document. You tin exercise that past running the following command.

Note: If yous are issuing the previous CLI command from a Linux or Mac computer, yous must add together a "/" at the beginning of the path (for example, file:///Users/username/new-ssm-medico-withOU.json).

After thecreate-certificate command successfully executes, you are done replacing the default SSM document with the SSM document you authored. The EC2 launch magician will apply your new SSM configuration by default to whatever Windows instance launched to join your domain under the specified OU.

At present, let's move to Part ii of this blog post!

Office 2: Enable automatically joining an Active Directory domain for EC2 instances in an Machine Scaling grouping

Auto Scaling is a service that helps you ensure that you have the correct number of EC2 instances available to handle the load for your applications. Collections of EC2 instances are called Automobile Scaling groups, and you can specify the minimum number of instances in each Auto Scaling group. Motorcar Scaling ensures that your group never goes below this size. Similarly, you can specify the maximum number of instances in each Auto Scaling group, and Auto Scaling ensures that your grouping never exceeds this size.

What if you want instances to join an Active Directory domain automatically when they are launched in an Automobile Scaling group? What if y'all still need to ready the organizational unit of measurement? The following steps show y'all how you can accomplish this by invoking SSM from a Windows PowerShell script when you boot up your instances.

Before proceeding, you lot must kickoff author and upload an SSM document containing your domain-join configuration using the SSMcreate-document control, as described in Steps one and 5 in the Function 1 of this post. For the sake of clarity, I volition use the nameawsconfig_Domain_ <directoryId> _ <directoryName> to refer to the uploaded SSM document.

Step 1: Create a new IAM policy, copying the AmazonEC2RoleforSSM policy

In this footstep, you lot will create a new IAM policy with permissions to allow your instances to perform the ssm:CreateAssociation activity, which will bring together each case to your domain. The new policy volition be based on the AWS-managed policy,AmazonEC2RoleforSSM.

To create this new IAM policy:

1. Open the IAM console, and and so click Policies. Click Create Policy.
2. On the Create Policy page, click Copy an AWS Managed Policy.
3. In the Search Policies field, type AmazonEC2RoleforSSM, and and so click Select.
4. In the Policy Proper name field, type the name AmazonEC2RoleforSSM-ASGDomainJoin.
5. In the Policy Document editor, add the ssm:CreateAssociation permission, as highlighted in the following screenshot.
6. Finally, click Validate Policy. If the policy is valid, clickCreate Policy.

Footstep 2: Create a new IAM part for EC2 instances in your Auto Scaling group

Side by side, you will create a new IAM part and adhere the AmazonEC2RoleforSSM-ASGDomainJoin policy to information technology. This function and its fastened policy will give permissions to your EC2 instances to communicate with the SSM service and execute different SSM service APIs. You will specify this role subsequently on in the Auto Scaling launch configuration sorcerer.

To create this new IAM function:

1. Open the IAM panel, click Roles in the left pane, and then click Create New Function.
2. On the Select Role Blazon page in the AWS Service Office department, choose Amazon EC2. This takes yous to the Attach Policy page.
3. In the Filter box, blazon AmazonEC2RoleforSSM-ASGDomainJoin. Choose the check box adjacent to your policy, and and so cull Attach Policy. This takes yous to the Set Role Proper name and Review page.
4. In thePart Name field, type EC2SSMRole-ASG, and then type a role description.
5. Review the role details, and and then choose Create Role.

Step 3: Create a new Auto Scaling launch configuration

This is the stride where it all comes together. First, create an Auto Scaling launch configuration, which uses the IAM office you created:

1. Open up the EC2 console, then clickLaunch Configurations underAuto Scaling in the left pane.
2. ClickCreate Launch Configuration to first the Launch Configuration creation wizard. Choose a Windows Server Amazon Motorcar Image (AMI) and proceed to Step ii of the wizard. Cull an instance blazon that matches your needs, and so proceed to Step 3 of the wizard, Configure Details.
3. Blazon the appropriate configuration details, starting with the Name Of your launch configuration. For IAM function, select EC2SSMRole-ASG.
4. Expand the Avant-garde Details department. Add a Windows PowerShell script that is to exist executed when new instances are launched equally the Auto Scaling group scales out. Customize the post-obit script, re-create information technology, and paste information technology in theUser information field.

To customize the preceding script:

• <region>is the region in which you are creating your Auto Scaling launch configuration (for example, us-east-1).
• <ssmDocumentName>is the proper noun of the SSM document that you created before.

The script joins each instance to your domain by issuing the SSM API activity ssm:CreateAssociation behind the scenes. This happens as a part of the kick-up process executed by EC2Config service. An important benefit of this approach is that you exercise not take to expose whatsoever domain credentials.

5. Proceed to Step 4 of the Launch Configuration sorcerer, Add Storage. Specify your storage requirement, and then proceed to Stride 5, Configure Security Group. In Step v, you tin either create a new security group or select an existing one and alter information technology. Whichever you cull, ensure that the security groups selected allow outbound admission to the Cyberspace over port 443 (HTTPS). This is necessary for EC2 instances in the Auto Scaling group to communicate with the SSM service. For more than data about configuring security groups, encounter Amazon EC2 Security Groups for Windows Instances.

Step 4: Create an Auto Scaling group

In this step, you create an Auto Scaling group to launch i or more instances automatically based on the launch configuration y'all created:

1. Open the EC2 console, and then cull Launch Configurations netherAuto Scaling in the navigation pane.
2. In the listing of launch configurations, choose the launch configuration you created in Stride 3.
3. Cull Create Auto Scaling Group to start the Motorcar Scaling Group creation wizard.
4. Blazon a Name for your Auto Scaling group. In the Network box, choose the VPC in which your Active Directory server or connector is deployed. In the Subnet box, choose a subnet in the VPC. Make certain the subnet you lot cull does not accept network access command list rules to prevent it from communicating with your Active Directory server or connector.
5. Cull Next: Configure Scaling Policies to configure the scaling policy.
6. Cull Side by side: Configure Notifications to configure notifications for your Automobile Scaling group.
7. Configure tags to make it easier to identify auto scaled instances in the EC2 panel. For example, you lot could blazon Proper name for a fundamental and Auto Scaled for a value.
8. Stop creating your Auto Scaling grouping. Cull Review and so click Create Machine Scaling Group.

Pace 5: Verify Agile Directory domain motorcar join

In this final step, you verify that your motorcar scaled instances are joined to your Active Directory domain:

1. Open the EC2 console and clickInstances in the navigation pane.
2. Annotation the InstanceIds of all instances that have Name ofMachine Scaled (based on the tag you specified in Step four). Wait until Car Scaled instances are in the Running state and their Status Checks show 2/two Checks Passed (this ways initialization is complete) before proceeding.
3. Run the post-obit AWS CLI command to listing current associations of your new SSM document with running EC2 instances.

4. Carefully review the JSON list of associations returned by the preceding command. For every clan, check if the InstanceId aspect matches i of your auto scaled instances. If there's a match, check the Overview. It should contain a subattribute named Condition with a value of Success. If so, congratulations! This indicates that the SSM Advert join control was executed successfully.
5. Double-check with Microsoft Active Directory tools to ensure the auto scaled instances joined your domain.

Footstep half-dozen: Schedule automatic cleanup of stale domain objects in your directory

As an Auto Scaling group scales out, instances are created and joined to your domain. Information technology is of import to notation that as the Auto Scaling group scales in, instances are terminated, and the instances' corresponding reckoner objects are not removed from your directory. Therefore, terminated instances will effect in stale entries.

Though Agile Directory can hold a large number of computer objects, information technology is a skilful practice to schedule a script to remove stale entries from your directory. Alternatively, you can fix a script to unjoin a figurer from your domain, and accept that script run before instance shutdown. The underlying assumption of the second approach is that instances in an Auto Scaling group are only close down (and terminated) when they are no longer needed.

How you do this cleanup is upwards to you lot, and practices will differ from ane administrator to another.

Decision

In this blog post, I showed you how to apply your custom domain-bring together configuration with the EC2 launch wizard. I besides explained how EC2 instances in Auto Scaling groups tin can exist automatically joined to an Active Directory domain upon launch, and how it is necessary to schedule regular cleanup of stale computer objects in your directory. Central to all the above scenarios is SSM, which continues to evolve and add authoritative command features over Windows and Linux EC2 instances alike.

If you lot have comments about this weblog post, submit them in the "Comments" section below. If you have questions, please starting time a new forum thread on the EC2 forum.

– Moataz

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

What Are Some Good Practices When Deploying Directory Services? Start A New Thread,

Source: https://aws.amazon.com/blogs/security/how-to-configure-your-ec2-instances-to-automatically-join-a-microsoft-active-directory-domain/

Posted by: hickstung1962.blogspot.com

Share this post