Seamlessly join an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory - AWS Directory Service

Seamlessly join an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory

This procedure seamlessly joins an Amazon EC2 Windows instance to your AWS Managed Microsoft AD. If you need to perform seamless domain join across multiple AWS accounts, see Tutorial: Sharing your AWS Managed Microsoft AD directory for seamless EC2 domain-join. For more information about Amazon EC2, see What is Amazon EC2?.

To seamlessly join a Windows EC2 instance

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation bar, choose the same AWS Region as the existing directory.

  3. On the EC2 Dashboard, in the Launch instance section, choose Launch instance.

  4. On the Launch an instance page, under the Name and Tags section, enter the name you would like to use for your Windows EC2 instance.

  5. (Optional) Choose Add additional tags to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance.

  6. In the Application and OS Image (Amazon Machine Image) section, choose Windows in the Quick Start pane. You can change the Windows Amazon Machine Image (AMI) from the Amazon Machine Image (AMI) dropdown list.

  7. In the Instance type section, choose the instance type you would like to use from Instance type dropdown list.

  8. In the Key pair (login) section, you can either choose to create a new key pair or choose from an existing key pair.

    1. To create a new key pair, choose Create new key pair.

    2. Enter a name for the key pair and select an option for the Key pair type and Private key file format.

    3. To save the private key in a format that can be used with OpenSSH, choose .pem. To save the private key in a format that can be used with PuTTY, choose .ppk.

    4. Choose create key pair.

    5. The private key file is automatically downloaded by your browser. Save the private key file in a safe place.

      Important

      This is the only chance for you to save the private key file.

  9. On the Launch an instance page, under Network settings section, choose Edit. Choose the VPC that your directory was created in from the VPC - required dropdown list.

  10. Choose one of the public subnets in your VPC from the Subnet dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.

    For more information on how to connect to a internet gateway, see Connect to the internet using an internet gateway in the Amazon VPC User Guide.

  11. Under Auto-assign public IP, choose Enable.

    For more information about public and private IP addressing, see Amazon EC2 instance IP addressing in the Amazon EC2 User Guide for Windows Instances.

  12. For Firewall (security groups) settings, you can use the default settings or make changes to meet your needs.

  13. For Configure storage settings, you can use the default settings or make changes to meet your needs.

  14. Select Advanced details section, choose your domain from the Domain join directory dropdown list.

    Note

    After choosing the Domain join directory, you may see:

    An error message when selecting your Domain join directory. There is an error with your existing SSM document.

    This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following:

    • If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes.

    • Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance.

  15. For IAM instance profile, you can select an existing IAM instance profile or create a new one. Select an IAM instance profile that has the AWS managed policies AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess attached to it from the IAM instance profile dropdown list. To create a new one, choose Create new IAM profile link, and then do the following:

    1. Choose Create role.

    2. Under Select trusted entity, choose AWS service.

    3. Under Use case, choose EC2.

    4. Under Add permissions, in the list of policies, select the AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess policies. To filter the list, type SSM in the search box. Choose Next.

      Note

      AmazonSSMDirectoryServiceAccess provides the permissions to join instances to an Active Directory managed by AWS Directory Service. AmazonSSMManagedInstanceCore provides the minimum permissions necessary to use the AWS Systems Manager service. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see Create an IAM instance profile for Systems Manager in the AWS Systems Manager User Guide.

    5. On the Name, review, and create page, enter a Role name. You will need this role name to attach to the EC2 instance.

    6. (Optional) You can provide a description of the IAM instance profile in the Description field.

    7. Choose Create role.

    8. Return to Launch an instance page and choose the refresh icon next to the IAM instance profile. Your new IAM instance profile should be visible in the IAM instance profile dropdown list. Choose the new profile and leave the rest of the settings with their default values.

  16. Choose Launch instance.