Are you looking to set up Active Directory (AD) on an AWS EC2 instance? Look no further! In this comprehensive guide, we’ll walk you through the process step by step, ensuring a smooth setup. Additionally, we’ll cover adding other machines and users to your AD environment for seamless integration. Let’s dive in!
Prerequisites
- AWS account with necessary permissions.
- EC2 instances running Windows Server (one for AD and others for domain members).
- VPC configured with private and public subnets.
- Security groups allowing necessary AD ports.
Installation of Active Directory Controller Role
Setting Up Your EC2 Instance
- Signing in and Navigating: Begin by securely signing in to your AWS Management Console and navigating to the EC2 Dashboard, the central hub of your virtual infrastructure.
- Launching Your Instance: Click on “Launch Instance” and meticulously select a Windows Server AMI [Windows_Server-2019-English-Full-Base-2024.04.10] that meets the requirements for running Active Directory.
- Choosing the Right Configuration: Opt for an instance type [t2.large] that aligns with your workload expectations, considering factors such as CPU, memory, and storage requirements.
- Configuring Security: Pay close attention to networking, storage, and security settings during the configuration process to ensure optimal performance and protection against potential threats.
- Review and Finalize: Before launching your instance, thoroughly review your configuration to avoid any oversights that may impact the setup process.
Configuring Security Groups
- Creating a Secure Environment: Navigate to the “Security Groups” section within EC2 and create a new security group tailored specifically for your AD setup.
- Defining Inbound Rules: Fine-tune your security group rules to allow traffic on ports 3389 (RDP) and 53 (DNS), essential for AD communication, while maintaining a secure environment.
- Applying Security Measures: Associate the newly created security group with your EC2 instance to fortify its defenses against potential security threats.
Installing Active Directory Domain Services
- Establishing Remote Access: Initiate a Remote Desktop Protocol (RDP) session to securely access your EC2 instance and begin the installation process.
- Adding AD DS Role: Launch Server Manager and proceed to add the Active Directory Domain Services role, laying the foundation for your AD environment.
- Promoting to Domain Controller: Elevate your server to the status of a domain controller, a pivotal moment in the setup process.
- Configuration Wizard: Navigate through the configuration wizard meticulously, providing essential details such as domain name, functional levels, and administrative credentials.
Note: in our usecase we are setting up a new Active Directory, so that we are choosing a Deployment option as ‘Add a New Forest’. And we are using our test Domain name ‘examtopics.shop’. Here you should choose your own Domin name. - Domain Controller Options: Here you need to setup a Directory Service Restore Mode Password.
then install the Active Directory with all other default setting options.
With the default Setup option, install Active Directory Domain Controller Role
Setting Up DHCP Options for Seamless DNS Configuration
To ensure smooth DNS configuration within your Active Directory environment on AWS, configuring the VPC DHCP option set is essential. Let’s dive into this additional step to streamline your setup process further.
Configuring DHCP Options
- Accessing VPC Dashboard: Navigate to the VPC Dashboard within your AWS Management Console to access your Virtual Private Cloud settings.
- Selecting DHCP Option Sets: Locate the “DHCP Option Sets” section and select the option set associated with the VPC where your EC2 instances reside.
- Creating a New DHCP Option Set: You will see an existing DHCP option set, but seamless configuration you need to create a new one by clicking on “Create DHCP options set” and providing a name and description.
Note: and In the Domain Name servers’ section, enter the same Domain name [examtopics.shop] add the Private IP addresses of your domain controllers. These DNS servers will be responsible for resolving domain-related queries within your VPC. - Associating DHCP Option Set with VPC: Once you’ve configured the DHCP options to your satisfaction, associate the option set with your VPC by selecting the VPC from the dropdown menu and clicking on “Associate.”
- Verifying Configuration: Verify that the DHCP option set is successfully associated with your VPC by checking the associated VPCs in the DHCP options set details.
or you can Login to AD Server and check its resolving Domain name or note.
Below are the commands that you can use
ipconfig /release
ipconfig /renew
Benefits of DHCP Option Configuration
By configuring DHCP options within your VPC, you streamline the DNS configuration process for your Active Directory setup on AWS. This ensures that your EC2 instances receive the necessary DNS server information automatically, simplifying domain resolution and enhancing the overall reliability of your AD environment.
Integrating Additional Machines
- Expanding Your Network: Provision additional EC2 instances [webserver-01, webserver-02 . . .] within the same Virtual Private Cloud (VPC) or you can setup VPC Peering/Transit gateway as your domain controller to extend your network infrastructure.
Make sure AD-server is reachable to Webservers via private IP address.
- Joining the Domain: On each new machine, initiate the process of domain integration by joining the domain using the “System Properties” menu.
Login to new machine -> Go to Server Manager -> Local Server -> Workgroup -> Change -> enter required details
- Credential Management: Provide domain administrator credentials when prompted, ensuring a seamless integration process.
- Completing Integration: Reboot the machines to apply the changes and complete the integration process, fostering interconnectedness within your domain environment.
- Check List of added EC2 instances from AD Server: You can see list of child servers added in Active directory from Manage Server.
Tools -> Active Directory Users and Computers -> Computers
Managing Users and Permissions
- User Creation: Access the “Tools -> Active Directory Users and Computers” console on your domain controller to create new user accounts within the designated Organizational Units (OUs).
- Customizing User Attributes: Configure user attributes such as name, username, and group memberships to tailor their roles within the domain.
- Granting Permissions: Assign appropriate permissions and group memberships to users, empowering them with the access they need to fulfill their responsibilities.
Right Click on User -> Properties -> Members of
- Check List of added Uses from AD Server: You can see list of all added User from Active directory Server.
Tools -> Active Directory Users and Computers -> Users
Troubleshooting
Setting up Active Directory on AWS EC2 instances can be complex, and issues may arise during or after the installation process. Here are some common problems and troubleshooting steps to ensure a smooth AD setup and operation:
1. Instance Connectivity Issues
Problem: Unable to connect to EC2 instances via RDP.
Solutions:
- Security Group Settings: Ensure that your security group allows inbound traffic on port 3389 (RDP) from your IP address.
- Network ACLs: Check Network ACLs associated with your subnet to ensure they are not blocking RDP traffic.
- Elastic IP: Ensure your EC2 instance has an Elastic IP attached if you are trying to connect from the internet.
- Instance Status: Verify that the instance is running and has passed all status checks.
2. AD DS Role Installation Fails
Problem: The installation of Active Directory Domain Services (AD DS) role fails.
Solutions:
- Event Viewer: Check the Event Viewer logs for any specific errors related to the AD DS installation.
- Permissions: Ensure the user account used for installation has administrative privileges.
- Internet Connectivity: Make sure the instance can access the necessary Microsoft update servers if updates are required during the installation.
- Instance Specifications: Confirm that the instance type meets the minimum requirements for running AD DS (e.g., t2.large or higher).
3. Domain Controller Promotion Issues
Problem: The server fails to promote to a Domain Controller.
Solutions:
- DNS Configuration: Ensure that the DNS settings are correctly configured. The instance should point to itself for DNS resolution.
- Service Dependencies: Verify that all necessary services (e.g., DNS Server) are installed and running.
- Functional Levels: Check that the selected functional levels are appropriate for the domain.
- Log Files: Review the dcpromo.log file for detailed error messages.
4. DNS Resolution Problems
Problem: DNS queries are not resolving correctly within the domain.
Solutions:
- DHCP Options Set: Ensure that the DHCP options set is correctly configured with the domain name and DNS server IP addresses.
- DNS Service: Confirm that the DNS service is running on the domain controller.
- IP Configuration: Use
ipconfig /releaseandipconfig /renewon the instance to refresh the IP configuration and DNS settings. - DNS Records: Check for missing or incorrect DNS records in the DNS Manager.
5. Domain Join Failures
Problem: Additional EC2 instances cannot join the domain.
Solutions:
- Network Connectivity: Ensure there is network connectivity between the EC2 instances and the domain controller. This includes checking security groups, route tables, and peering connections if applicable.
- DNS Settings: Verify that the EC2 instances are using the domain controller’s IP address as their DNS server.
- Time Synchronization: Ensure that the instance time is synchronized with the domain controller. Time differences can cause Kerberos authentication to fail.
- Error Messages: Check the error messages during the domain join process and refer to the specific error code for more detailed troubleshooting.
6. User and Permission Issues
Problem: Users are unable to log in or have incorrect permissions.
Solutions:
- User Account Status: Check that the user accounts are not disabled or locked out.
- Group Memberships: Verify that users are members of the correct groups to have the necessary permissions.
- Password Policies: Ensure that users comply with domain password policies.
- Event Logs: Review the security logs for failed login attempts and other relevant events.
7. DHCP Option Set Not Applying
Problem: The DHCP option set is not being applied to instances.
Solutions:
- Option Set Association: Confirm that the DHCP option set is correctly associated with the VPC.
- Instance Refresh: Release and renew the IP configuration on the instance using
ipconfig /releaseandipconfig /renewcommands. - VPC Configuration: Verify the VPC configuration and ensure there are no overlapping DHCP option sets or misconfigurations.
By addressing these common issues with the provided solutions, you can troubleshoot effectively and ensure a successful Active Directory setup on AWS EC2 instances.
Conclusion: Empowering Your Domain
By following this comprehensive guide, you’ve embarked on a journey towards mastering Active Directory on AWS EC2, paving the way for efficient user management and authentication within your cloud-based infrastructure. With meticulous planning and execution, you can harness the full potential of AWS Active Directory to streamline operations and enhance security. As you continue to explore and refine your AD environment, may your domain flourish and your users thrive under your expert guidance. Happy configuring!
