Microsoft Workloads on AWS

The refreshed AWS Launch Wizard for Active Directory deployment release

AWS recently refreshed the AWS Launch Wizard Active Directory (AD) deployment with improvements and new options. In this post, we will cover what has changed and also how these changes may influence future updates to the service.

In this refreshed release, we have updated the following:

  • Option to install AWS Managed Microsoft Active Directory with additional automation. This will reduce your effort when configuring an Amazon Virtual Private Cloud (VPC), deploying a management server, creating a Public Key Infrastructure (PKI), and setting up a Microsoft Remote Desktop Gateway (RDGW).
  • Ability to extend your existing on-premises AD to AWS via a new VPC.
  • Modern OS-level configurations using AWS Systems Manager (SSM) Automation documents.
  • Option to enable advanced auditing and metrics to the self-managed AD domain controller scenarios and the management instance in the AWS Managed Microsoft AD scenario.

With the recently refreshed release, the AWS Launch Wizard for Active Directory will pull the latest updates from the Microsoft Active Directory AWS QuickStart GitHub repository. AWS QuickStarts are open source, which enables you to directly improve the product if you choose to contribute or provide feedback to the Microsoft Active Directory AWS QuickStart.

Walkthrough

In the following walkthrough, we will demonstrate the use of the AWS Launch Wizard for Active Directory (AD) deployment.

After you successfully deploy AWS Managed Microsoft AD, you will modify the security group to allow the certificate auto-enrollment to take place.

Finally, once the LDAP over SSL PKI certificates have been issued via auto-enrollment, you will validate that the LDAP over SSL is functional.

While it is possible to deploy all of these features manually and separately, AWS Launch Wizard simplifies and unifies the deployment release with a graphical wizard-driven deployment.

Launch AWS Managed Microsoft AD with Management and Microsoft Enterprise PKI Instances

In this section, you will perform the following operations using the AWS Launch Wizard for Active Directory (AD):

  • Create AWS Managed Microsoft AD
  • Create Management instance
  • Implement two-tier PKI into a new VPC

To implement these steps, proceed as follows:

1. Sign into the AWS Management Console, open the AWS Launch Wizard console, and select Choose application.

2. In the Available applications drop down list, select Microsoft Active Directory.

3. For Deployment type, select AWS Managed Microsoft AD – new VPC, and then select Create deployment, as shown in Figure 1.

Figure 1: Deployment Selection

4. In the displayed Review permission page, select Next.

5. This will bring you to the Configure application settings page.

6. In the General setting section of the page, fill in the following field:

  • Deployment name: Any name you wish.

7. Scroll down to the Network configuration section of the page and fill in the following fields:

  • Number of Availability Zones: 2 or 3. In this example, I use 2, as shown in Figure 2.
  • Availability Zones: Select 2 or 3 AZs. In this example, I use us-east-2a and us-east-2b, as shown in Figure 2.
  • Uncheck the checkbox Select this option to create and associate a new DHCP options set for the VPC, as shown in Figure 2.

Figure 2: Network Configuration

8. Scroll down to the Amazon EC2 configuration section of the page and fill in the following field:

  • Key pair name: Select a keypair from your account, in this example, I use Baseline as shown in Figure 3.

9. Scroll down to the Microsoft Active Directory configuration section of the page and fill in the following fields:

  • Domain DNS name: Enter the DNS name of the AWS Managed Microsoft AD directory. In this example, I use corp.example.com, as shown in Figure 3.
  • Domain NetBIOS name: enter the NetBIOS name of the AWS Managed Microsoft AD directory. In this example, I use CORP, as shown in Figure 3.
  • Admin account password: Enter a password to set on the Admin account, as shown in Figure 3.

Figure 3: EC2 and Active Directory Configuration

10. Scroll down to the Microsoft Active Directory Certificate Services configuration section of the page and fill in the following field:

  • Certificate Authority deployment type: Select Two-Tier, as shown in Figure 4.

Figure 4: Active Directory Certificate Service Configuration

11. Scroll down to the Microsoft Remote Desktop Gateway configuration section of the page and fill in the following field:

  • Number of Remote Desktop Gateway host: Enter 0, as shown in Figure 5.

Figure 5: RDGW Configuration

12. Leave the rest of the fields on this page to their defaults, and select Next. This will bring you to the Configure infrastructure settings page.

13. In the Configure infrastructure settings page configure the values in the following fields:

  • Define infrastructure requirements: Based on static values
  • Management Server Instance Type: t3.medium
  • CA Instance Type: t3.medium

14. Leave the rest of the fields on this page to their defaults and select Next. This will bring you to the Review post-deployment steps page.

15. In the Review post-deployment steps page, select Next. This will bring you to the Review and deploy page

16. On the Review and deploy page review your selections and select Deploy.

NOTE: it may take up to 2 hours for the deployment to complete.

Preparing Your AWS Managed Microsoft AD Security Group for PKI

Next, you need to adjust the outbound Security Group of our AWS Managed Microsoft AD directory to allow the domain controllers outbound access to the Microsoft Enterprise Certificate Authority for certificate auto-enrollment.

1. In the AWS Directory Service console navigation pane, choose Directories.

2. Take note of the Directory ID of the directory you deployed in the previous steps.

3. Navigate to the AWS EC2 console.

4. In the left navigation pane, select Network & Security > Security Groups.

5. In the Filter security groups dialog (at the top) enter the Directory ID from step 2 and hit Enter on your keyboard.

6. You should only see one Security Group returned in the console. Select the Security Group, switch to the Outbound rules tab, and choose Edit outbound rules, as shown in Figure 6.

Figure 6: AWS Managed Microsoft AD Security Group

7. Select Add rule.

8. Select All traffic for the Type field and Custom for Destination field. In this example, I enter the CIDR of 10.0.0.0/16 in the Destination box. Choose Save rules, as shown in Figure 7.

Figure 7: AWS Managed Microsoft AD Security Group Configuration

Validate LDAP over SSL is working with AWS Managed Microsoft AD.

Finally, using the LDP.exe tool, you are going to validate that the certificates have been issued to the AWS Managed Microsoft AD domain controllers and that LDAP over SSL is functional.

1. Open the AWS Systems Manager Fleet Manager – Remote Desktop console.

2. Select Add new session, select the node named ENTCA1, and select Add.

3. Select User credentials, enter the following credentials, and select Connect.

a. Username: corp\admin

b. Password: The password you set when you launched the directory.

4. On ENTCA1, go to the Start Menu and type pkiview.msc and select pkiview.msc to open the PKI View MMC.

5. In the PKI View MMC, expand the tree for ORCA1 and select ENTCA1. The status for all items should be OK, as shown in Figure 8.

Figure 8: PKI View MMC

6. Right click on ENTCA1 and select Manage CA… to open the Certificate Manager MMC

7. In the Certificate Manager MMC, expand the tree for ENTCA1 and select Issued Certificates.

8. You should see two certificates issued with the LdapOverSSL-QS certificate template, as shown in Figure 9.

Figure 9: Certificate Manager Issued Certificates

Note, the certificate auto-enrollment process on the AWS Managed Microsoft Active Directory Domain Controllers run every 30 minutes. You may be waiting for up 30 minutes for the certificates to be issued.

9. Go to the Start Menu and type ldp.exe to open the LDAP tool.

10. In the LDP tool, select Connection > Connect, as shown in Figure 10.

Figure 10: LDP Connection

11. In the Connect section, do the following:

a. For Server, enter the DNS name of your domain. In this example, the server is corp.example.com.

b. Port: 636.

c. SSL: Checked.

d. Select OK to connect to the directory through LDAPS, as shown in Figure 11.

Figure 11: LDP Connection Dialog

12. You should see the following message to confirm that your LDAPS connection is now open, as shown in Figure 12.

Figure 12: Successful LDAP over SSL Connection

Summary

In this post, you deployed a brand new AWS Managed Microsoft AD with a management instance and a two-tier PKI using the updated AWS Launch Wizard. Post completion, you validated that LDAP over SSL was functional using ldp.exe. This post covers just one of the six scenarios that AWS Launch Wizard provides. Other scenarios include standing up a self-managed AD or extending an exigent self-managed AD.


AWS can help you assess how your company can get the most out of cloud. Join the millions of AWS customers that trust us to migrate and modernize their most important applications in the cloud. To learn more on modernizing Windows Server or SQL Server, visit Windows on AWSContact us to start your modernization journey today.

Jeremy Girven

Jeremy Girven

Jeremy is a solutions architect specializing in Microsoft workloads on AWS. He has over 16 years’ experience with Microsoft Active Directory and over 25 years of industry experience. One of his fun projects is using SSM to automate the Active Directory build processes in AWS. To see more, check out the Active Directory AWS Partner Solution (https://thinkwithwp.com/solutions/partners/active-directory-ds/).

Lowell Abraham

Lowell Abraham

Lowell Abraham is a Sr. Solutions Architect based in New York specializing in Microsoft and VMware workloads on AWS. With over a decade of experience as a technologist, he works with global strategic customers of AWS to help architect and build solutions in the cloud. Outside work, Lowell loves traveling the world to explore different cultures and cuisines. He is also an avid drone pilot.