Step 1: Set up your AWS environment for AWS Managed Microsoft AD Active Directory
Before you can create AWS Managed Microsoft AD in your AWS test lab, you first need to set up your Amazon EC2 key pair so that all login data is encrypted.
Create a key pair
If you already have a key pair, you can skip this step. For more information about Amazon EC2 key pairs, see Create key pairs.
To create a key pair
Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, under Network & Security, choose Key Pairs, and then choose Create Key Pair.
-
For Key pair name, type
AWS-DS-KP. For Key pair file format, select pem, and then choose Create. -
The private key file is automatically downloaded by your browser. The file name is the name you specified when you created your key pair with an extension of
.pem. Save the private key file in a safe place.Important
This is the only chance for you to save the private key file. You need to provide the name of your key pair when you launch an instance and the corresponding private key each time you decrypt the password for the instance.
Create, configure, and peer two Amazon VPCs
As shown in the following illustration, by the time you finish this multi-step process you will have created and configured two public VPCs, two public subnets per VPC, one Internet Gateway per VPC, and one VPC Peering connection between the VPCs. We chose to use public VPCs and subnets for the purpose of simplicity and cost. For production workloads, we recommend that you use private VPCs. For more information about improving VPC Security, see Security in Amazon Virtual Private Cloud.
All of the AWS CLI and PowerShell examples use the VPC information from below and are built in us-west-2. You may choose any supported Region to build you environment in. For general information, see What is Amazon VPC?.
Step 1: Create two VPCs
In this step, you need to create two VPCs in the same account using the specified parameters in the following table. AWS Managed Microsoft AD supports the use of separate accounts with the Share your AWS Managed Microsoft AD feature. The first VPC will be used for AWS Managed Microsoft AD. The second VPC will be used for resources that can be used later in Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2.
|
Managed Active Directory VPC information |
On-premises VPC information |
|---|---|
|
Name tag: AWS-DS-VPC01 IPv4 CIDR block: 10.0.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default |
Name tag: AWS-OnPrem-VPC01 IPv4 CIDR block: 10.100.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default |
For detailed instructions, see Creating a VPC.
Step 2: Create two subnets per VPC
After you have created the VPCs you will need to create two subnets per VPC using the specified parameters in the following table. For this test lab each subnet will be a /24. This will allows up to 256 addresses to be issued per subnet. Each subnet must be a in a separate AZ. Putting each subnet in a separate in AZ is one of the Prerequisites for creating a AWS Managed Microsoft AD.
|
AWS-DS-VPC01 subnet Information: |
AWS-OnPrem-VPC01 subnet information |
|---|---|
|
Name tag: AWS-DS-VPC01-Subnet01 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Availability Zone: us-west-2a IPv4 CIDR block: 10.0.0.0/24 |
Name tag: AWS-OnPrem-VPC01-Subnet01 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 Availability Zone: us-west-2a IPv4 CIDR block: 10.100.0.0/24 |
|
Name tag: AWS-DS-VPC01-Subnet02 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Availability Zone: us-west-2b IPv4 CIDR block: 10.0.1.0/24 |
Name tag: AWS-OnPrem-VPC01-Subnet02 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 Availability Zone: us-west-2b IPv4 CIDR block: 10.100.1.0/24 |
For detailed instructions, see Creating a subnet in your VPC.
Step 3: Create and attach an Internet Gateway to your VPCs
Since we are using public VPCs you will need to create and attach an Internet gateway to your VPCs using the specified parameters in the following table. This will allow you to be able to connect to and manage your EC2 instances.
|
AWS-DS-VPC01 Internet Gateway information |
AWS-OnPrem-VPC01 Internet Gateway information |
|---|---|
|
Name tag: AWS-DS-VPC01-IGW VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 |
Name tag: AWS-OnPrem-VPC01-IGW VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 |
For detailed instructions, see Internet gateways.
Step 4: Configure a VPC peering connection between AWS-DS-VPC01 and AWS-OnPrem-VPC01
Since you already created two VPCs earlier, you will need to network them together using VPC peering using the specified parameters in the following table. While there are many ways to connect your VPCs, this tutorial will use VPC Peering. AWS Managed Microsoft AD supports many solutions to connect your VPCs, some of these include VPC peering, Transit Gateway, and VPN.
|
Peering connection name tag: AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer VPC (Requester): vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Account: My Account Region: This Region VPC (Accepter): vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 |
For instructions on how to create a VPC Peering Connection with another VPC from with in your account, see Creating a VPC peering connection with another VPC in your account.
Step 5: Add two routes to each VPC’s main route table
In order for the Internet Gateways and VPC Peering Connection created in the previous steps to be functional you will need to update the main route table of both VPCs using the specified parameters in the following table. You will be adding two routes; 0.0.0.0/0 which will route to all destinations not explicitly known to the route table and 10.0.0.0/16 or 10.100.0.0/16 which will route to each VPC over the VPC Peering Connection established above.
You can easily find the correct route table for each VPC by filtering on the VPC name tag (AWS-DS-VPC01 or AWS-OnPrem-VPC01).
|
AWS-DS-VPC01 route 1 information |
AWS-DS-VPC01 route 2 information |
AWS-OnPrem-VPC01 route 1 Information |
AWS-OnPrem-VPC01 route 2 Information |
|---|---|---|---|
|
Destination: 0.0.0.0/0 Target: igw-xxxxxxxxxxxxxxxxx AWS-DS-VPC01-IGW |
Destination: 10.100.0.0/16 Target: pcx-xxxxxxxxxxxxxxxxx AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer |
Destination: 0.0.0.0/0 Target: igw-xxxxxxxxxxxxxxxxx AWS-Onprem-VPC01 |
Destination: 10.0.0.0/16 Target: pcx-xxxxxxxxxxxxxxxxx AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer |
For instructions on how to add routes to a VPC route table, see Adding and removing routes from a route table.
Create security groups for Amazon EC2 instances
By default, AWS Managed Microsoft AD creates a security group to manage traffic between its domain controllers. In this section, you will need to create 2 security groups (one for each VPC) which will be used to manage traffic within your VPC for your EC2 instances using the specified parameters in the following tables. You also add a rule that allows RDP (3389) inbound from anywhere and for all traffic types inbound from the local VPC. For more information, see Amazon EC2 security groups for Windows instances.
|
AWS-DS-VPC01 security group information: |
|---|
|
Security group name: AWS DS Test Lab Security Group Description: AWS DS Test Lab Security Group VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 |
Security Group Inbound Rules for AWS-DS-VPC01
| Type | Protocol | Port range | Source | Type of traffic |
|---|---|---|---|---|
| Custom TCP Rule | TCP | 3389 | My IP | Remote Desktop |
| All Traffic | All | All | 10.0.0.0/16 | All local VPC traffic |
Security Group Outbound Rules for AWS-DS-VPC01
| Type | Protocol | Port range | Destination | Type of traffic |
|---|---|---|---|---|
| All Traffic | All | All | 0.0.0.0/0 | All traffic |
| AWS-OnPrem-VPC01 security group information: |
|---|
|
Security group name: AWS OnPrem Test Lab Security Group. Description: AWS OnPrem Test Lab Security Group. VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 |
Security Group Inbound Rules for AWS-OnPrem-VPC01
| Type | Protocol | Port range | Source | Type of traffic |
|---|---|---|---|---|
| Custom TCP Rule | TCP | 3389 | My IP | Remote Desktop |
| Custom TCP Rule | TCP | 53 | 10.0.0.0/16 | DNS |
| Custom TCP Rule | TCP | 88 | 10.0.0.0/16 | Kerberos |
| Custom TCP Rule | TCP | 389 | 10.0.0.0/16 | LDAP |
| Custom TCP Rule | TCP | 464 | 10.0.0.0/16 | Kerberos change / set password |
| Custom TCP Rule | TCP | 445 | 10.0.0.0/16 | SMB / CIFS |
| Custom TCP Rule | TCP | 135 | 10.0.0.0/16 | Replication |
| Custom TCP Rule | TCP | 636 | 10.0.0.0/16 | LDAP SSL |
| Custom TCP Rule | TCP | 49152 - 65535 | 10.0.0.0/16 | RPC |
| Custom TCP Rule | TCP | 3268 - 3269 | 10.0.0.0/16 | LDAP GC & LDAP GC SSL |
| Custom UDP Rule | UDP | 53 | 10.0.0.0/16 | DNS |
| Custom UDP Rule | UDP | 88 | 10.0.0.0/16 | Kerberos |
| Custom UDP Rule | UDP | 123 | 10.0.0.0/16 | Windows Time |
| Custom UDP Rule | UDP | 389 | 10.0.0.0/16 | LDAP |
| Custom UDP Rule | UDP | 464 | 10.0.0.0/16 | Kerberos change / set password |
| All Traffic | All | All | 10.100.0.0/16 | All local VPC traffic |
Security Group Outbound Rules for AWS-OnPrem-VPC01
| Type | Protocol | Port range | Destination | Type of traffic |
|---|---|---|---|---|
| All Traffic | All | All | 0.0.0.0/0 | All traffic |
For detailed instructions on how to create and add rules to your security groups, see Working with security groups.
