chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

In managing a fleet of Windows instances, establishing a central file repository accessible from various locations is often a necessity. Automatically mapping Server Message Block (SMB) file shares enhances the experience for end-users connecting to domain-joined instances, alleviating the repetitive and laborious task of manually mapping file shares across hundreds of new instances as they integrate into your domain.

Amazon FSx for Windows File Server offers fully managed, reliable, and scalable file storage built on a Windows server, accessible via the SMB protocol. It comes equipped with a comprehensive array of data management and administrative functionalities, including user quotas, Active Directory (AD) integration, snapshots, backups, and encryption both at rest and in transit. The FSx file storage is compatible with Windows, Linux, and MacOS instances and devices operating on AWS or on-premises. Utilizing FSx for Windows File Server together with AWS Auto Scaling allows for resource optimization based on demand while simplifying management tasks.

In this article, I will demonstrate how to configure an AWS Auto Scaling group to seamlessly connect Amazon Elastic Compute Cloud (Amazon EC2) instances to a Microsoft AD using AWS Systems Manager. Following this setup, you can automatically map your Amazon FSx File Server shares by configuring a Group Policy Object (GPO) in your directory, minimizing the manual interactions required.

Solution Overview

The solution architecture can be visualized in the following diagram:

[Insert Solution Architecture Diagram]

AWS Auto Scaling initiates Amazon EC2 instances tagged accordingly. A Systems Manager association identifies this new instance based on its tag and executes a Systems Manager Document containing your directory information, enabling automatic domain joining upon launch. Once the instance is part of the domain, a pre-configured GPO in your AD applies to users, rendering the FSx for Windows File Server file shares accessible to your domain users.

Prerequisites

To successfully implement the steps outlined, you must already possess an AD domain managed within AWS. Alternatively, you can also utilize your self-managed AD if preferred. For further details, refer to the documentation on creating your AWS Managed Microsoft AD directory or integrating an Amazon FSx file system with a self-managed Microsoft Active Directory domain. This post utilizes a Microsoft Managed AD directory.

You will also need to set up an Amazon Machine Image (AMI) based on an EC2 Windows instance managed by Systems Manager. For additional information, review the Systems Manager prerequisites. If you wish to use a custom AMI, you can learn how to create a standardized Amazon Machine Image (AMI) using Sysprep.

It is important to note that this solution is limited to EC2 instances operating within an Amazon Virtual Private Cloud (Amazon VPC) with access to public AWS service endpoints. For more details, examine VPC endpoint restrictions and limitations.

Implementing the Solution

The implementation of the solution is categorized into three parts:

Part A

Seamlessly join an EC2 instance to your domain using Systems Manager.

  • Create a domain-join Systems Manager Document.
  • Establish a new AWS Identity and Access Management (IAM) instance profile.
  • Create a Systems Manager State Manager association.

Part B

Configure AD GPOs to map your FSx for Windows File Server file shares upon logging in with a domain user on a domain-joined computer.

  • Create an FSx for Windows File Server file system.
  • Set up an AD Group Policy to deploy the share.

Part C

Integrate the solution with your Auto Scaling group.

  • Create a new launch template.
  • Create a new Auto Scaling group from the launch template.

Part A: Joining an EC2 Instance to Your Domain Using Systems Manager

This section outlines the steps required to configure AWS SSM to automatically join your instances to your domain, including the creation of a domain-join SSM document, establishing a new IAM instance profile, and setting up a State Manager association to automate the process.

Step 1: Create a Domain-Join Systems Manager Document

AWS Systems Manager allows for remote management of your Windows EC2 instances through Systems Manager Documents. These documents define the commands to be executed on an instance, such as aws:domainJoin, which instructs Systems Manager to link a Windows EC2 instance to a domain.

To create a Systems Manager document that includes your domain-join configuration—such as the organizational unit (OU) for the new server—follow these steps:

  1. Navigate to the AWS Systems Manager Documents console.
  2. Select Create Document > Command or Session.
  3. In the name field, use “awsconfig_Domain__”, replacing <directoryId> and <directoryName> with your directory information—for instance, “awsconfig_Domain_d-1234567890_example.com”.
  4. Choose Command document as the document type.
  5. In the content section, you may copy the sample below and replace the domain properties with your information.
{
  "schemaVersion": "1.0",
  "description": "Sample document for automatic Domain Join operation",
  "runtimeConfig": {
    "aws:domainJoin": {
      "properties": {
        "directoryId": "d-1234567890",
        "directoryName": "example.com",
        "directoryOU": "OU=test,OU=example,DC=example,DC=com",
        "dnsIpAddresses": [
          "198.51.100.1",
          "198.51.100.2"
        ]
      }
    }
  }
}

In this configuration document:

  • directoryId is the ID of the directory (or AD Connector) created in AWS Directory Service.
  • directoryName is the domain name (e.g., example.com).
  • directoryOU specifies the organizational unit for the domain.
  • dnsIpAddresses lists the IP addresses for the DNS servers you designated when creating your directory (or AD Connector) in Directory Service.

Once you’ve completed these steps, click Create Document at the bottom of the page.

If you have previously utilized the seamless domain-join feature, a document with the same name but without OU information may already exist. You can confirm its existence via the Systems Manager Documents console under the tab Owned by me, filtering by “Document name prefix: Equals:” and the name of your document. Should the document exist, it can be deleted and replaced with a new one to incorporate the OU information without affecting currently running instances.

Step 2: Create a New IAM Instance Profile

An instance profile role must be created for Systems Manager to interact with AWS Directory Services and enable your EC2 Windows instances to join your AD domain. You may skip Step 2A by utilizing the Amazon-provided policies AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess, which include additional permissions for all core Systems Manager functionalities.

Step 2A: Create a Custom IAM Policy

Access the IAM console and navigate to Policies within the Access Management section. Create the following policy named “SeamlessDomainJoinPolicy” based on the principle of least privilege, ensuring your IAM roles are secure.

For those seeking to further enhance their job search skills, check out this insightful blog post on how to find a job. Also, for a well-rounded perspective on talent management, visit SHRM’s webinar on the balance between cost and talent. Lastly, this resource provides excellent insights into common pitfalls Amazon works to avoid.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *