AWS Managed AD(Active Directory)

AWS Managed AD enable you to manage your workload and purely managed by AWS. You can setup your AD by using AWS directory services and then centrally manage your workload and account like login to all our ec2 instance with AD account etc.

Today I thought let's do this practically and in my demo, I have created AWS managed AD and then launched two EC2 instance where with first instance I have joined the AD during launch configuration itself and with another EC2 instance I have joined the AD after launch. And then with same AD account I was able to login and manage my EC2 instance and I was not require to remember multiple or different credentials for each EC2 instance.

Here are the steps-

Go to AWS console and create aws managed ad(directory service), provide directory name like (xxx-ad.com), select your PVC, security group and subnet, backup plan etc and create your AD. It may take around 30 minutes to get ready in active status.
You here also create one root AD account and by default user name is "admin" and you set your password during AD launch.

Now create your first ec2 window server instance and during launch configuration, select active directory join your AD created(xxx-ad.com) and select IAM role which must have the policy attached (AmazonEC2RoleforSSM).

Now login ec2 with ad root AD account i.e. admin like user name "xxx-ad.com\admin" and your pwd what you had set during AD launch and you will be able to do successful login.
Now to work with AD like create another AD user similar to admin go to your ec2 control panel> system & security> system - here refer full computer name and also the domain it must will have your domain name i.e. (xxx-ad.com) as your ec2 is already joined with your AD.

Now go to server manager> add role and feature and install active directory services.

After installation go to administrative tool > and here you will find installed active directory related services. Open "Active Directory Users and Computers" and then in left panel you will find your ad like (xxx-ad.com) and in case you do not find there then right click on "Active Directory Users and Computer" in left panel and change domain and there put your domain i.e. "xxx-ad.com" and press ok.

Now expand your AD and there you will find again ad name like "poc-ad" and expand that one as well and you will find users option there and there you can change and create new users and its permission. Like I have created one more user name as "user1" and post creation again go to user properties and make user to member of admin i.e. "Admin - xxx-ad.com/AWS Delegated Groups", so that you can do RDC and admin activity by new user to EC2.

fyi - if you login/rdc to your ec2 with local account like window ec2 administrator account and you will not be able to access the "Active Directory Users and Computers" xxx-ad.com active directory and cannot be able to manage users.

Now created your second ec2 window server and do not join active directory during ec2 launch. Once system is running then login to ec2 with window local administrator account which you get at last step of ec2 launch.

Now go to ec2 control panel> system & security> system - here refer full computer name and also the domain it must not have any AD domain like your domain "xxx-ad.com", so to join this ec2 instance with your AD you will find change setting link front of your full computer name, click on that link> change > and change member of to your own ad domain like (xxx-ad.com), after change system need restart and you are done. Now you can login with your ED account to this EC2 instance as well.

Note - In case during domain change if you get error like "DNS name does not exist." then it means your ec2 machine not able reach your AD DNS, so go to your aws ad you have created(poc-ad.cm) and there you will find the dns address(which will give you multiple IPs) and this need to add into your ec2,

Now come to your ec2> control panel> network and sharing center> change adapter setting and got to properties of your local aws network appear there and move to IP V4> advance click> DNS tab> add DNS and here you put all the IPs you got from your AD DNS address one by one and press OK. Now try again to change the DNS name of your ec2 with same steps.