chanciturnervgt2

Streamlining Domain Joining of Amazon EC2 Instances to AWS Managed Microsoft AD Across Multiple Accounts and VPCs

by

VGT2 Las Vegas
in

Streamlining Domain Joining of Amazon EC2 Instances to AWS Managed Microsoft AD Across Multiple Accounts and VPCsLearn About Amazon VGT2 Learning Manager Chanci Turner

You can now efficiently share a single AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) among various AWS accounts within a given AWS Region. This feature simplifies and reduces the costs associated with managing directory-aware workloads from one directory across multiple accounts and Amazon Virtual Private Clouds (Amazon VPCs). Rather than manually domain-joining your Amazon Elastic Compute Cloud (EC2) instances or creating separate directories for each account and VPC, you can leverage your directory from any AWS account within any VPC in the same Region.

In this tutorial, I will guide you through the process of launching two EC2 instances, each located in different Amazon VPCs within the same AWS account (the directory consumer account), and seamlessly domain-joining both instances to a directory in another account (the directory owner account). This will be accomplished in four key steps:

  1. Create an AWS Managed Microsoft AD directory.
  2. Establish networking connectivity between VPCs.
  3. Share the directory with the directory consumer account.
  4. Launch Amazon EC2 instances and seamlessly domain join to the directory.

Solution Architecture

The diagram below outlines the steps to utilize a single AWS Managed Microsoft AD across multiple accounts. Upon completing Step 3, AWS Microsoft Managed AD will create a shared directory in the directory consumer account. This shared directory contains the necessary metadata that enables seamless domain joining of the EC2 instances to locate the directory in the owner account. Note that additional charges may apply for directory sharing.

Step 1: Create an AWS Managed Microsoft AD Directory

Begin by creating an AWS Microsoft AD directory in your directory owner account and corresponding Amazon VPC. In the examples used throughout this tutorial, the domain name is example.com; ensure you replace this with your own domain name. During the directory creation process, you will select the subnets for deploying your domain controllers. AWS Microsoft AD ensures that selected subnets span different Availability Zones. In this scenario, I have no particular subnet preference, so I choose “No Preference” from the Subnets drop-down menu.

Select “Next” to review your configuration, then click “Create directory.” Expect the directory creation process to take approximately 20-45 minutes. While this is underway, you can proceed to the next step.

Step 2: Establish Networking Connectivity Between VPCs

To domain join your Amazon EC2 instances to the directory, establishing networking connectivity between the VPCs is necessary. There are several methods to achieve this; in this instance, I’ll demonstrate the use of Amazon VPC peering by executing the following steps:

  • Create a VPC peering connection between the directory owner VPC-0 and directory consumer VPC-1, followed by another connection between directory owner VPC-0 and directory consumer VPC-2. Here are my VPC details for reference:
VPC CIDR Block
Directory Owner VPC-0 172.31.0.0/16
Directory Consumer VPC-1 10.0.0.0/16
Directory Consumer VPC-2 10.100.0.0/16
  • Enable traffic routing between the peered VPCs by adding routes to your VPC route table that point to the VPC peering connection. My directory owner VPC-0 route table includes the following VPC peering connections:
Destination Target
172.31.0.0/16 Local
10.0.0.0/16 pcx-0
10.100.0.0/16 pcx-1

Configure the route tables for each of the directory consumer VPCs by adding the peering connection to the directory owner VPC-0. Optionally, you can attach an Internet Gateway to your directory consumer VPCs, allowing instances to communicate with the AWS System Manager (SSM) agent responsible for the domain join. Here are my directory consumer VPC route table configurations:

  • VPC-1 route table:
Destination Target
10.0.0.0/16 Local
172.31.0.0/16 pcx-0
0.0.0.0/0 igw-0
  • VPC-2 route table:
Destination Target
10.100.0.0/16 Local
172.31.0.0/16 pcx-1
0.0.0.0/0 igw-1

Next, configure the security group of your directory consumer VPCs to enable outbound traffic by adding the necessary Active Directory protocols and ports to the outbound rules table.

Step 3: Share the Directory with the Directory Consumer Account

With your networking configured, you now need to make your directory accessible to the directory consumer account. This can be done by sharing your directory. Directory sharing operates at the account level, making the directory visible to all VPCs within the directory consumer account.

There are two methods for directory sharing with AWS Managed Microsoft AD: AWS Organizations and Handshake.

  • AWS Organizations simplifies sharing within your organization as it allows you to browse and validate the directory consumer accounts. To utilize this option, your organization must have all features enabled, and your directory should be in the master account. This method streamlines the setup since directory consumer accounts do not need to accept the sharing request.
  • Handshake enables directory sharing outside of AWS Organizations, requiring the directory consumer account to accept the sharing request.

In this example, I will guide you through using AWS Organizations to share a directory:

  1. Open the AWS Management Console and select Directory Service, then choose the directory you wish to share (in this case, example.com). Click the Actions button, followed by the Share directory option.
  2. Select “Share this directory with AWS accounts inside your organization,” then click the “Enable Access to AWS Organizations” button. This allows your AWS account to list all accounts in your organization within the AWS Directory Service console.
  3. Choose your directory consumer account (for this example, Consumer Example) from the Organization accounts browser, then click the Add button.

You should now be able to view your directory in the AWS Management Console, making it accessible for the domain joining process. For more insights on navigating workplace dynamics, check out this blog post on managing workplace politics here.

Additionally, for information on Amazon’s commitment to hiring veterans and military spouses, you can visit this site. For an excellent resource on Amazon’s employee training and career skills development, see this article.

Lastly, remember to monitor any spelling errors in your configurations to avoid potential issues along the way.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *