AWS Directory Service - Administration Guide

Administration Guide

AWS Directory Service

Version 1.0

AWS Directory Service Administration Guide

AWS Directory Service: Administration Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service

that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any

manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are

the property of their respective owners, who may or may not be aﬃliated with, connected to, or

Related Items

• Using FSx for Windows File Server as persistent storage on Windows Containers

• Group Managed Service Accounts

Amazon AppStream 2.0 support

Amazon AppStream 2.0 is a fully managed application streaming service. It provides a range of

solutions for users to save and access data through their applications. Amazon FSx with AppStream

2.0 provides a personal persistent storage drive using Amazon FSx and can be conﬁgured to

provide a shared folder to access common ﬁles.

Related Items

• Walkthrough 4: Using Amazon FSx with Amazon AppStream 2.0

• Using Amazon FSx with Amazon AppStream 2.0

• Using Active Directory with AppStream 2.0

Use Case 1: Sign in to AWS applications and services with Active Directory credentials Version 1.0 43

AWS Directory Service Administration Guide

Microsoft SQL Server support

FSx for Windows File Server can be used as a storage option for Microsoft SQL Server 2012

(starting with 2012 version 11.x) and newer system databases (including Master, Model, MSDB, and

TempDB), and for Database Engine user databases.

Related Items

• Install SQL Server with SMB ﬁleshare storage

• Simplify your Microsoft SQL Server high availability deployments using FSx for Windows File

Server

• Group Managed Service Accounts

Home folders and roaming user proﬁle support

FSx for Windows File Server can be used to store data from Active Directory user home folders and

My Documents in a central location. FSx for Windows File Server can also be used to store data

from Roaming User Proﬁles.

Related Items

• Perform a system state recovery of your server

Amazon FSx also supports AWS Managed Microsoft AD Directory Sharing. For more information,

see:

• Share your AWS Managed Microsoft AD

• Using Amazon FSx with AWS Managed Microsoft AD in a diﬀerent VPC or account

Amazon RDS integration with AWS Managed Microsoft AD

Amazon RDS supports external authentication of database users using Kerberos with Microsoft

Active Directory. Kerberos is a network authentication protocol that uses tickets and symmetric-

key cryptography to eliminate the need to transmit passwords over the network. Amazon RDS

support for Kerberos and Active Directory provides the beneﬁts of single sign-on and centralized

authentication of database users so you can keep your user credentials in Active Directory.

To get started with this use case you'll ﬁrst need to set up a basic AWS Managed Microsoft AD and

Amazon RDS conﬁguration.

• Getting started with AWS Managed Microsoft AD

Use Case 1: Sign in to AWS applications and services with Active Directory credentials Version 1.0 45

AWS Directory Service Administration Guide

• Getting started with Amazon RDS

All of the use cases referenced below will start with a base AWS Managed Microsoft AD and

Amazon RDS and cover how to integrate Amazon RDS with AWS Managed Microsoft AD.

• Using Windows authentication with an Amazon RDS for SQL Server DB instance

• Using Kerberos authentication for MySQL

• Using Kerberos authentication with Amazon RDS for Oracle

• Using Kerberos authentication with Amazon RDS for PostgreSQL

Amazon RDS also supports AWS Managed Microsoft AD Directory Sharing. For more information,

see:

• Share your AWS Managed Microsoft AD

• Joining your Amazon RDS DB instances across accounts to a single shared domain

For more information about joining an Amazon RDS for SQL Server to your Active Directory, see

Join Amazon RDS for SQL Server to your self-managed Active Directory.

.NET application using Amazon RDS for SQL Server with group Managed Service Accounts

You can integrate Amazon RDS for SQL Server with a basic .NET application and group Managed

Service Accounts (gMSAs). For more information, see How AWS Managed Microsoft AD Helps

to Simplify the Deployment and Improve the Security of Active Directory–Integrated .NET

Applications

Use Case 2: Manage Amazon EC2 instances

Using familiar Active Directory administration tools, you can apply Active Directory group policy

objects (GPOs) to centrally manage your Amazon EC2 for Windows or Linux instances by joining

your instances to your AWS Managed Microsoft AD domain.

In addition, your users can sign in to your instances with their Active Directory credentials. This

eliminates the need to use individual instance credentials or distribute private key (PEM) ﬁles. This

makes it easier for you to instantly grant or revoke access to users by using Active Directory user

administration tools you already use.

Use Case 2: Manage Amazon EC2 instances Version 1.0 46

AWS Directory Service Administration Guide

Use Case 3: Provide directory services to your Active Directory-aware

workloads

AWS Managed Microsoft AD is an actual Microsoft Active Directory that enables you to run

traditional Active Directory-aware workloads such as Remote Desktop Licensing Manager

and Microsoft SharePoint and Microsoft SQL Server Always On in the AWS Cloud. AWS

Managed Microsoft AD also helps you to simplify and improve the security of Active Directory-

integrated .NET applications by using group Managed Service Accounts (gMSAs) and Kerberos

constrained delegation (KCD).

Use Case 4: AWS IAM Identity Center to Oﬃce 365 and other cloud

applications

You can use AWS Managed Microsoft AD to provide AWS IAM Identity Center services for cloud

applications. You can use Microsoft Entra Connect (formerly known as Azure Active Directory

Connect) to synchronize your users into Microsoft Entra (formerly known as Azure Active Directory

(Azure AD)), and then use Active Directory Federation Services (AD FS) so that your users can

access Microsoft Oﬃce 365 and other SAML 2.0 cloud applications by using their Active Directory

credentials.

Integrating AWS Managed Microsoft AD with IAM Identity Center adds SAML capabilities to

your AWS Managed Microsoft AD and / or your on-premises trusted domains. Once integrated

your users can then use IAM Identity Center with services that support SAML, including the AWS

Management Console and third-party cloud applications such as Oﬃce 365, Concur, and Salesforce

without having to conﬁgure a SAML infrastructure. For a demonstration on the process of allowing

your on-premises users to use IAM Identity Center, see the following YouTube video.

Note

AWS Single Sign-On was renamed to IAM Identity Center.

Use Case 5: Extend your on-premises Active Directory to the AWS Cloud

If you already have an Active Directory infrastructure and want to use it when migratingActive

Directory-aware workloads to the AWS Cloud, AWS Managed Microsoft AD can help. You can use

Use Case 3: Provide directory services to your Active Directory-aware workloads Version 1.0 47

AWS Directory Service Administration Guide

Active Directory trusts to connect AWS Managed Microsoft AD to your existing Active Directory.

This means your users can access Active Directoryy-aware and AWS applications with their on-

premises Active Directory credentials, without needing you to synchronize users, groups, or

passwords.

For example, your users can sign in to the AWS Management Console and Amazon WorkSpaces

by using their existing Active Directory user names and passwords. Also, when you use Active

Directory-aware applications such as SharePoint with AWS Managed Microsoft AD, your logged-in

Windows users can access these applications without needing to enter credentials again.

You can also migrate your on-premises Active Directory domain to AWS to be free of the

operational burden of your Active Directory infrastructure using the Active Directory Migration

Toolkit (ADMT) along with the Password Export Service (PES) to perform the migration.

Use Case 6: Share your directory to seamlessly join Amazon EC2

instances to a domain across AWS accounts

Sharing your directory across multiple AWS accounts enables you to manage AWS services such as

Amazon EC2 easily without the need to operate a directory for each account and each VPC. You

can use your directory from any AWS account and from any Amazon VPC within an AWS Region.

This capability makes it easier and more cost eﬀective to manage directory-aware workloads with

a single directory across accounts and VPCs. For example, you can now manage your Windows

workloads deployed in EC2 instances across multiple accounts and VPCs easily by using a single

AWS Managed Microsoft AD directory.

When you share your AWS Managed Microsoft AD directory with another AWS account, you can

use the Amazon EC2 console or AWS Systems Manager to seamlessly join your instances from any

Amazon VPC within the account and AWS Region. You can quickly deploy your directory-aware

workloads on EC2 instances by eliminating the need to manually join your instances to a domain or

to deploy directories in each account and VPC. For more information, see Share your AWS Managed

Microsoft AD.

Maintain your AWS Managed Microsoft AD

You can use the AWS Management Console to maintain your AWS Managed Microsoft AD and

complete day-to-day administrative tasks. Ways you can maintain your directory include:

Use Case 6: Share your directory to seamlessly join Amazon EC2 instances to a domain across AWS

accounts

Version 1.0 48

AWS Directory Service Administration Guide

• View your AWS Managed Microsoft AD directory details to learn your AWS Managed Microsoft

AD directory type, directory ID, directory status, and networking details such as its Amazon VPC,

subnets, and Availability zones.

• Restore your AWS Managed Microsoft AD with snapshots. You can also create snapshot and

delete snapshots.

• Deploy additional domain controllers to improve your AWS Managed Microsoft AD performance

and availability.

• Upgrade your AWS Managed Microsoft AD from Standard edition to Enterprise edition which

supports more directory objects.

• Add alternate user principal name (UPN) to improve the user login experience.

• Rename your AWS Managed Microsoft AD site name to improve AWS Managed Microsoft AD

ability to ﬁnd and authenticate your existing Active Directory users in your on-premises directory.

• Delete your AWS Managed Microsoft AD when you no longer need it.

Viewing AWS Managed Microsoft AD directory information

You can use the AWS Management Console to view your AWS Managed Microsoft AD directory

details like:

• Directory type

• Directory ID

• Directory status

• Networking details for your AWS Managed Microsoft AD like:

• Amazon VPC

• Subnets

• Availability zones

• DNS addresses

You can ﬁnd the following information about your AWS Managed Microsoft AD:

• Under the Share & share tab, you can share your AWS Managed Microsoft AD with other AWS

accounts and learn the networking details for your domain controllers.

Viewing directory information Version 1.0 49

AWS Directory Service Administration Guide

• Under the Application management tab, you can enable an application access URL for your

AWS Managed Microsoft AD and enable AWS applications and services for your AWS Managed

Microsoft AD.

• Under the Maintenance tab, you can enable Amazon Simple Notiﬁcation Service to receive

notiﬁcations of your AWS Managed Microsoft AD status and review snapshots of your AWS

Managed Microsoft AD.

To view detailed directory information in the AWS Management Console

1. In the AWS Directory Service console navigation pane, under Active Directory, select

Directories.

2. Click the directory ID link for your directory. Information about the directory is displayed in the

Directory details page.

For more information about the Status ﬁeld, see Understanding your AWS Managed Microsoft AD

directory status.

Restoring your AWS Managed Microsoft AD with snapshots

AWS Directory Service provides automated daily snapshots and the ability to take manual

snapshots of data for your AWS Managed Microsoft AD Active Directory. These snapshots can be

used to perform a point-in-time restore for your Active Directory. You are limited to ﬁve manual

snapshots for each AWS Managed Microsoft AD Active Directory. If you have already reached this

limit, you must delete one of your existing manual snapshots before you can create another. You

cannot take snapshots of AD Connector directories.

Restoring your directory with snapshots Version 1.0 50

AWS Directory Service Administration Guide

Note

Snapshot is a global feature of AWS Managed Microsoft AD. If you are using Conﬁgure

Multi-Region replication for AWS Managed Microsoft AD, the following procedures must be

performed in the Primary Region. The changes will be applied across all replicated Regions

automatically. For more information, see Global vs Regional features.

Topics

• Creating a snapshot of your directory

• Restoring your directory from a snapshot

• Deleting a snapshot

Creating a snapshot of your directory

A snapshot can be used to restore your directory to what it was at the point in time that the

snapshot was taken. To create a manual snapshot of your directory, perform the following steps.

Note

You are limited to 5 manual snapshots for each directory. If you have already reached

this limit, you must delete one of your existing manual snapshots before you can create

another.

To create a manual snapshot

1. In the AWS Directory Service console navigation pane, select Directories.

2. On the Directories page, choose your directory ID.

3. On the Directory details page, choose the Maintenance tab.

4. In the Snapshots section, choose Actions, and then select Create snapshot.

5. In the Create directory snapshot dialog box, provide a name for the snapshot, if desired.

When ready, choose Create.

Depending on the size of your directory, it may take several minutes to create the snapshot. When

the snapshot is ready, the Status value changes to Completed.

Restoring your directory with snapshots Version 1.0 51

AWS Directory Service Administration Guide

Restoring your directory from a snapshot

Restoring a directory from a snapshot is equivalent to moving the directory back in time. Directory

snapshots are unique to the directory they were created from. A snapshot can only be restored

to the directory from which it was created. In addition, the maximum supported age of a manual

snapshot is 180 days. For more information, see Useful shelf life of a system-state backup of Active

Directory on the Microsoft website.

Warning

We recommend that you contact the AWS Support Center before any snapshot restore;

we may be able to help you avoid the need to do a snapshot restore. Any restore from

snapshot can result in data loss as they are a point in time. It is important you understand

that all of the DCs and DNS servers associated with the directory will be oﬄine until the

restore operation has been completed.

To restore your directory from a snapshot, perform the following steps.

To restore a directory from a snapshot

1. In the AWS Directory Service console navigation pane, select Directories.

2. On the Directories page, choose your directory ID.

3. On the Directory details page, choose the Maintenance tab.

4. In the Snapshots section, select a snapshot in the list, choose Actions, and then select Restore

snapshot.

5. Review the information in the Restore directory snapshot dialog box, and choose Restore.

For an AWS Managed Microsoft AD directory, it can take from two to three hours for the directory

to be restored. When it has been successfully restored, the Status value of the directory changes to

Active. Any changes made to the directory after the snapshot date are overwritten.

Deleting a snapshot

To delete a snapshot

1. In the AWS Directory Service console navigation pane, select Directories.

Restoring your directory with snapshots Version 1.0 52

AWS Directory Service Administration Guide

2. On the Directories page, choose your directory ID.

3. On the Directory details page, choose the Maintenance tab.

4. In the Snapshots section, choose Actions, and then select Delete snapshot.

5. Verify that you want to delete the snapshot, and then choose Delete.

Deploying additional domain controllers for your AWS Managed

Microsoft AD

Deploying additional domain controllers for your AWS Managed Microsoft AD increases the

redundancy, which results in even greater resilience and higher availability. This also improves the

performance of your directory by supporting a greater number of Active Directory requests. For

example, you can now use AWS Managed Microsoft AD to support multiple .NET applications that

are deployed on large ﬂeets of Amazon EC2 and Amazon RDS for SQL Server instances.

When you ﬁrst create your directory, AWS Managed Microsoft AD deploys two domain controllers

across multiple Availability Zones, which is required for highly availability purposes. Later, you can

easily deploy additional domain controllers via the AWS Directory Service console by just specifying

the total number of domain controllers that you want. AWS Managed Microsoft AD distributes the

additional domain controllers to the Availability Zones and Amazon VPC subnets on which your

directory is running.

For example, in the below illustration, DC-1 and DC-2 represent the two domain controllers that

were originally created with your directory. The AWS Directory Service console refers to these

default domain controllers as Required. AWS Managed Microsoft AD intentionally locates each

of these domain controllers in separate Availability Zones during the directory creation process.

Later, you might decide to add two more domain controllers to help distribute the authentication

load over peak login times. Both DC-3 and DC-4 represent the new domain controllers, which the

console now refers to as Additional. As before, AWS Managed Microsoft AD again automatically

places the new domain controllers in diﬀerent Availability Zones to ensure your domain's high

availability.

Deploying additional domain controllers Version 1.0 53

AWS Directory Service Administration Guide

This process eliminates the need for you to manually conﬁgure directory data replication,

automated daily snapshots, or monitoring for the additional domain controllers. It's also easier for

you to migrate and run mission critical Active Directory–integrated workloads in the AWS Cloud

without having to deploy and maintain your own Active Directory infrastructure.

You can use either of the following tools to deploy or remove additional domain controllers to your

AWS Managed Microsoft AD:

•

update-number-of-domain-controllers AWS CLI command

• UpdateNumberOfDomainControllers API

• Adding or removing additional domain controllers with the AWS Management Console

Note

Additional domain controllers is a Regional feature of AWS Managed Microsoft AD. If you

are using Conﬁgure Multi-Region replication for AWS Managed Microsoft AD, the following

Deploying additional domain controllers Version 1.0 54

AWS Directory Service Administration Guide

procedures must be applied separately in each Region. For more information, see Global vs

Regional features.

Adding or removing additional domain controllers with the AWS Management

Console

You can use the AWS Management Console to add or remove additional domain controllers to your

AWS Managed Microsoft AD.

Prerequisites

Before adding or removing additional domain controllers to your AWS Managed Microsoft AD,

here's more information about domain controller requirements:

• After deploying additional domain controllers, you can reduce the number of domain controllers

to two, which is the minimum required for fault-tolerance and high availability purposes.

• The deleted domain controllers will be delete from the list of additional domain controllers. The

primary and secondary domain controllers are required and can't be deleted.

• If you have conﬁgured your AWS Managed Microsoft AD to enable LDAPS, any additional domain

controllers you add will also have LDAPS enabled automatically. For more information, see

Enable Secure LDAP or LDAPS.

Procedure

Use the following procedure to deploy or remove additional domain controllers in your AWS

Managed Microsoft AD with the AWS Management Console.

To add or remove additional domain controllers

1. In the AWS Directory Service console navigation pane, choose Directories.

2. On the Directories page, choose your directory ID.

3. On the Directory details page, do one of the following:

• If you have multiple Regions showing under Multi-Region replication, select the Region

where you want to add or remove domain controllers, and then choose the Scale & share

tab. For more information, see Primary vs additional Regions.

Deploying additional domain controllers Version 1.0 55

AWS Directory Service Administration Guide

• If you do not have any Regions showing under Multi-Region replication, choose the Scale &

share tab.

4. In the Domain controllers section, choose Edit.

5. Specify the number of domain controllers to add or remove from your directory, and then

choose Modify.

6. When AWS Managed Microsoft AD completes the deployment process, all domain controllers

show Active status, and both the assigned Availability Zone and Amazon VPC subnets appear.

New domain controllers are equally distributed across the Availability Zones and subnets

where your directory is already deployed.

Directory

, you must

also set

Certiﬁcate

Backdating

Compensat

ion, or

authentic

ation will

fail.

• Full

Enforceme

nt:

Authentic

Editing directory security settings Version 1.0 102

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

ation isn't

allowed if

a certiﬁca

te can't be

strongly

mapped to

a user. If you

choose this

enforceme

nt type,

Certiﬁcate

Backdating

Compensat

ion can't be

conﬁgured.

For more

informati

on, see

KB5014754

—Certiﬁc

ate-based

authentic

ation changes

on Windows

domain

controllers in

the Microsoft

Support

documenta

tion.

Editing directory security settings Version 1.0 103

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

AES

128/128

AES_128_128 Enable, Disable Enable or

disable the

AES 128/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

Secure

Channel:

Cipher

DES

56/56

DES_56_56 Enable, Disable Enable or

disable the

DES 56/56

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

Editing directory security settings Version 1.0 104

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

RC2

40/128

RC2_40_128 Enable, Disable Enable or

disable the

RC2 40/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

RC2

56/128

RC2_56_128 Enable, Disable Enable or

disable the

RC2 56/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

Editing directory security settings Version 1.0 105

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

RC2

128/128

RC2_128_128 Enable, Disable Enable or

disable the

RC2 128/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

RC4

40/128

RC4_40_128 Enable, Disable Enable or

disable the

RC4 40/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

Editing directory security settings Version 1.0 106

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

RC4

56/128

RC4_56_128 Enable, Disable Enable or

disable the

RC4 56/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

RC4

64/128

RC4_64_128 Enable, Disable Enable or

disable the

RC4 64/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

Editing directory security settings Version 1.0 107

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

RC4

128/128

RC4_128_128 Enable, Disable Enable or

disable the

RC4 128/128

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

Triple

DES

168/168

3DES_168_

168

Enable, Disable Enable or

disable the

Triple DES

168/168

encryption

cipher for

secure channel

communica

tions between

domain

controllers in

your directory.

Editing directory security settings Version 1.0 108

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

PCT

1.0

PCT_1_0 Enable, Disable Enable or

disable the

PCT 1.0

protocol for

secure channel

communica

tions (Server

and Client) on

the domain

controllers in

your directory.

Secure

Channel:

Protocol

SSL

2.0

SSL_2_0 Enable, Disable Enable or

disable the SSL

2.0 protocol

for secure

channel

communica

tions (Server

and Client) on

the domain

controllers in

your directory.

Editing directory security settings Version 1.0 109

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

SSL

3.0

SSL_3_0 Enable, Disable Enable or

disable the SSL

3.0 protocol

for secure

channel

communica

tions (Server

and Client) on

the domain

controllers in

your directory.

TLS

1.0

TLS_1_0 Enable, Disable Enable or

disable the

TLS 1.0

protocol for

secure channel

communica

tions (Server

and Client) on

the domain

controllers in

your directory.

Editing directory security settings Version 1.0 110

AWS Directory Service Administration Guide

Type Setting

name

API name Potential values Setting

description

TLS

1.1

TLS_1_1 Enable, Disable Enable or

disable the

TLS 1.1

protocol for

secure channel

communica

tions (Server

and Client) on

the domain

controllers in

your directory.

Setting up AWS Private CA Connector for AD

You can integrate your AWS Managed Microsoft AD with AWS Private Certiﬁcate Authority (CA) to

issue and manage certiﬁcates for your Active Directory domain joined users, groups, and machines.

AWS Private CA Connector for Active Directory allows you to use a fully managed AWS Private CA

drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or

update local agents or proxy servers.

Note

Server-side LDAPS certiﬁcate enrollment for AWS Managed Microsoft AD domain

controllers with AWS Private CA Connector for Active Directory is not supported. To enable

server-side LDAPS for your directory, see How to enable server-side LDAPS for your AWS

Managed Microsoft AD directory.

You can set up AWS Private CA integration with your directory through the Directory Service

console, the AWS Private CA Connector for Active Directory console, or by calling the

CreateTemplate API. To set up the Private CA integration through the AWS Private CA Connector

for Active Directory console, see Creating a connector template. See below for steps on how to set

up this integration from the AWS Directory Service console.

Setting up AWS Private CA Connector for AD Version 1.0 111

AWS Directory Service Administration Guide

To set up AWS Private CA Connector for AD

1. Sign in to the AWS Management Console and open the AWS Directory Service console at

https://console.aws.amazon.com/directoryservicev2/.

2. On the Directories page, choose your directory ID.

3. Under the Network & Security tab, under AWS Private CA Connector for AD, choose Set

up AWS Private CA Connector for AD. The page Create Private CA certiﬁcate for Active

Directory appears. Follow the steps on the console to create your Private CA for Active

Directory connector to enroll with your Private CA. For more information, see Creating a

connector.

4. After you create your connector, follow the steps below to view details, including the

connector’s status and the associated Private CA’s status.

To view AWS Private CA Connector for AD

1. Sign in to the AWS Management Console and open the AWS Directory Service console at

https://console.aws.amazon.com/directoryservicev2/.

2. On the Directories page, choose your directory ID.

3. Under Network & Security, under AWS Private CA Connector for AD, you can view your

Private CA connectors and associated Private CA. By default, you see the following ﬁelds:

a. AWS Private CA Connector ID — The unique identiﬁer for an AWS Private CA connector.

Clicking on it leads to the details page of that AWS Private CA connector.

b. AWS Private CA subject — Information about the distinguished name for the CA. Clicking

on it leads to the details page of that AWS Private CA.

c. Status — Based on a status check for the AWS Private CA Connector and the AWS Private

CA. If both checks pass, Active displays. If one of the checks fails, 1/2 checks failed

displays. If both checks fail, Failed displays. For more information about a failed status,

hover over the hyperlink to learn which check failed. Follow the instructions in the console

to remediate.

d. Date created — The day the AWS Private CA Connector was created.

For more information, see View connector details.

Setting up AWS Private CA Connector for AD Version 1.0 112

AWS Directory Service Administration Guide

Monitor your AWS Managed Microsoft AD

You can get the most out of your AWS Managed Microsoft AD by learning more about the diﬀerent

AWS Managed Microsoft AD statuses and what they mean for your AWS Managed Microsoft AD.

You can also use AWS services like Amazon Simple Notiﬁcation Service and Amazon CloudWatch

to monitor your AWS Managed Microsoft AD. Amazon Simple Notiﬁcation Service can send you

notiﬁcations of your AWS Managed Microsoft AD directory status. Amazon CloudWatch can

monitor the performance of your AWS Managed Microsoft AD domain controllers.

Tasks to monitor your AWS Managed Microsoft AD

• Understanding your AWS Managed Microsoft AD directory status

• Enabling AWS Managed Microsoft AD directory status notiﬁcations with Amazon Simple

Notiﬁcation Service

• Understanding your AWS Managed Microsoft AD directory logs

• Enabling Amazon CloudWatch Logs log forwarding for AWS Managed Microsoft AD

• Using CloudWatch to monitor your AWS Managed Microsoft AD domain controllers' performance

• Disabling Amazon CloudWatch log forwarding for AWS Managed Microsoft AD

• Monitoring DNS Server with Microsoft Event Viewer

Understanding your AWS Managed Microsoft AD directory status

The following are the various statuses for a directory.

Active

The directory is operating normally. No issues have been detected by the AWS Directory Service

for your directory.

Creating

The directory is currently being created. Directory creation typically takes between 20 to 45

minutes but may vary depending on the system load.

Deleted

The directory has been deleted. All resources for the directory have been released. Once a

directory enters this state, it cannot be recovered.

Monitor your directory Version 1.0 113

AWS Directory Service Administration Guide

Deleting

The directory is currently being deleted. The directory will remain in this state until it has

been completely deleted. Once a directory enters this state, the delete operation cannot be

cancelled, and the directory cannot be recovered.

Failed

The directory could not be created. Please delete this directory. If this problem persists, please

contact the AWS Support Center.

Impaired

The directory is running in a degraded state. One or more issues have been detected, and not

all directory operations may be working at full operational capacity. There are many potential

reasons for the directory being in this state. These include normal operational maintenance

activity such as patching or EC2 instance rotation, temporary hot spotting by an application

on one of your domain controllers, or changes you made to your network that inadvertently

disrupt directory communications. For more information, see either Troubleshooting AWS

Managed Microsoft AD, Troubleshooting AD Connector, Troubleshooting Simple AD. For normal

maintenance related issues, AWS resolves these issues within 40 minutes. If after reviewing

the troubleshooting topic, your directory is in an Impaired state longer than 40 minutes, we

recommend that you contact the AWS Support Center.

Important

Do not restore a snapshot while a directory is in an Impaired state. It is rare that

snapshot restore is necessary to resolve impairments. For more information, see

Restoring your AWS Managed Microsoft AD with snapshots.

Requested

A request to create your directory is currently pending.

RestoreFailed

Restoring the directory from a snapshot failed. Please retry the restore operation. If this

continues, try a diﬀerent snapshot, or contact the AWS Support Center.

Understanding your directory status Version 1.0 114

AWS Directory Service Administration Guide

Restoring

The directory is currently being restored from an automatic or manual snapshot. Restoring from

a snapshot typically takes several minutes, depending on the size of the directory data in the

snapshot.

Enabling AWS Managed Microsoft AD directory status notiﬁcations

with Amazon Simple Notiﬁcation Service

Using Amazon Simple Notiﬁcation Service (Amazon SNS), you can receive email or text (SMS)

messages when the status of your directory changes. You get notiﬁed if your directory goes from

an Active status to an Impaired status. You also receive a notiﬁcation when the directory returns to

an Active status.

How It Works

Amazon SNS uses “topics” to collect and distribute messages. Each topic has one or more

subscribers who receive the messages that have been published to that topic. Using the steps

below you can add AWS Directory Service as publisher to an Amazon SNS topic. When AWS

Directory Service detects a change in your directory’s status, it publishes a message to that topic,

which is then sent to the topic's subscribers.

You can associate multiple directories as publishers to a single topic. You can also add directory

status messages to topics that you’ve previously created in Amazon SNS. You have detailed control

over who can publish to and subscribe to a topic. For complete information about Amazon SNS, see

What is Amazon SNS?.

Note

Directory status notiﬁcations is a Regional feature of AWS Managed Microsoft AD. If you

are using Conﬁgure Multi-Region replication for AWS Managed Microsoft AD, the following

procedures must be applied separately in each Region. For more information, see Global vs

Regional features.

Enabling Amazon SNS

The following walks you through how you can enable Amazon SNS for your AWS Managed

Microsoft AD:

Enabling directory status notiﬁcations with Amazon SNS Version 1.0 115

AWS Directory Service Administration Guide

1. Sign in to the AWS Management Console and open the AWS Directory Service console.

2. On the Directories page, choose your directory ID.

3. On the Directory details page, do one of the following:

• If you have multiple Regions showing under Multi-Region replication, select the Region

where you want to enable SNS messaging, and then choose the Maintenance tab. For more

information, see Primary vs additional Regions.

• If you do not have any Regions showing under Multi-Region replication, choose the

Maintenance tab.

4. In the Directory monitoring section, choose Actions, and then select Create notiﬁcation.

5. On the Create notiﬁcation page, select Choose a notiﬁcation type, and then choose Create

a new notiﬁcation. Alternatively, if you already have an existing SNS topic, you can choose

Associate existing SNS topic to send status messages from this directory to that topic.

Note

If you choose Create a new notiﬁcation but then use the same topic name for an SNS

topic that already exists, Amazon SNS does not create a new topic, but just adds the

new subscription information to the existing topic.

If you choose Associate existing SNS topic, you will only be able to choose an SNS

topic that is in the same Region as the directory.

6. Choose the Recipient type and enter the Recipient contact information. If you enter a phone

number for SMS, use numbers only. Do not include dashes, spaces, or parentheses.

7. (Optional) Provide a name for your topic and an SNS display name. The display name is a short

name up to 10 characters that is included in all SMS messages from this topic. When using the

SMS option, the display name is required.

Note

If you are logged in using an IAM user or role that has only the

DirectoryServiceFullAccess managed policy, your topic name must start with

“DirectoryMonitoring”. If you’d like to further customize your topic name you’ll need

additional privileges for SNS.

8. Choose Create.

Enabling directory status notiﬁcations with Amazon SNS Version 1.0 116

AWS Directory Service Administration Guide

If you want to designate additional SNS subscribers, such as an additional email address, Amazon

SQS queues or AWS Lambda, you can do this from the Amazon SNS console.

Removing directory status messages from an Amazon SNS topic

The following walks you through how you can remove your AWS Managed Microsoft AD directory

status messages from an Amazon SNS topic:

1. Sign in to the AWS Management Console and open the AWS Directory Service console.

2. On the Directories page, choose your directory ID.

3. On the Directory details page, do one of the following:

• If you have multiple Regions showing under Multi-Region replication, select the Region

where you want to remove status messages, and then choose the Maintenance tab. For

more information, see Primary vs additional Regions.

• If you do not have any Regions showing under Multi-Region replication, choose the

Maintenance tab.

4. In the Directory monitoring section, select an SNS topic name in the list, choose Actions, and

then select Remove.

5. Choose Remove.

This removes your directory as a publisher to the selected SNS topic.

Deleting an Amazon SNS topic

If you want to delete the entire topic, you can do this from the Amazon SNS console.

Before deleting an Amazon SNS topic using the SNS console, you should ensure that a directory is

not sending status messages to that topic.

If you delete an Amazon SNS topic using the SNS console, this change will not immediately

be reﬂected within the Directory Services console. You would only be notiﬁed the next time a

directory publishes a notiﬁcation to the deleted topic, in which case you would see an updated

status on the directory’s Monitoring tab indicating the topic could not be found.

Therefore, to avoid missing important directory status messages, before deleting any topic that

receives messages from AWS Directory Service, associate your directory with a diﬀerent Amazon

SNS topic.

Enabling directory status notiﬁcations with Amazon SNS Version 1.0 117

AWS Directory Service Administration Guide

For more information on how to delete an Amazon SNS topic, see Deleting an Amazon SNS topic

and subscription.

Understanding your AWS Managed Microsoft AD directory logs

Security logs from AWS Managed Microsoft AD domain controller instances are archived for a year.

You can also conﬁgure your AWS Managed Microsoft AD directory to forward domain controller

logs to Amazon CloudWatch Logs in near real time. For more information, see Enabling Amazon

CloudWatch Logs log forwarding for AWS Managed Microsoft AD.

AWS logs the following events for compliance.

Monitoring category Policy setting Audit state

Account Logon Audit Credential Validation Success, Failure

 Audit Other Account Logon

Events

Success, Failure

 Audit Kerberos Authentication

Service

Success, Failure

Account Management Audit Computer Account

Management

Success, Failure

 Audit Other Account

Management Events

Success, Failure

 Audit Security Group

Management

Success, Failure

 Audit User Account

Management

Success, Failure

Detailed Tracking Audit DPAPI Activity Success, Failure

 Audit PNP Activity Success

 Audit Process Creation Success, Failure

Understanding your directory logs Version 1.0 118

AWS Directory Service Administration Guide

Monitoring category Policy setting Audit state

DS Access Audit Directory Service Access Success, Failure

 Audit Directory Service

Changes

Success, Failure

Logon/Logoﬀ Audit Account Lockout Success, Failure

 Audit Logoﬀ Success

 Audit Logon Success, Failure

 Audit Other Logon/Logoﬀ

Events

Success, Failure

 Audit Special Logon Success, Failure

Object Access Audit Other Object Access

Events

Success, Failure

 Audit Removable Storage Success, Failure

 Audit Central Access Policy

Staging

Success, Failure

Policy Change Audit Policy Change Success, Failure

 Audit Authentication Policy

Change

Success, Failure

 Audit Authorization Policy

Change

Success, Failure

 Audit MPSSVC Rule-Level

Policy Change

Success

 Audit Other Policy Change

Events

Failure

Privilege Use Audit Sensitive Privilege Use Success, Failure

Understanding your directory logs Version 1.0 119

AWS Directory Service Administration Guide

Monitoring category Policy setting Audit state

System Audit IPsec Driver Success, Failure

 Audit Other System Events Success, Failure

 Audit Security State Change Success, Failure

 Audit Security System

Extension

Success, Failure

 Audit System Integrity Success, Failure

Enabling Amazon CloudWatch Logs log forwarding for AWS Managed

Microsoft AD

You can use either the AWS Directory Service console or APIs to forward domain controller security

event logs to Amazon CloudWatch Logs for your AWS Managed Microsoft AD. This helps you

to meet your security monitoring, audit, and log retention policy requirements by providing

transparency of the security events in your directory.

CloudWatch Logs can also forward these events to other AWS accounts, AWS services, or third

party applications. This makes it easier for you to centrally monitor and conﬁgure alerts to detect

and respond proactively to unusual activities in near real time.

Once enabled, you can then use the CloudWatch Logs console to retrieve the data from the log

group you speciﬁed when you enabled the service. This log group contains the security logs from

your domain controllers.

For more information about log groups and how to read their data, see Working with log groups

and log streams in the Amazon CloudWatch Logs User Guide.

Note

Log forwarding is a Regional feature of AWS Managed Microsoft AD. If you are using

Conﬁgure Multi-Region replication for AWS Managed Microsoft AD, the following

procedures must be applied separately in each Region. For more information, see Global vs

Regional features.

Enabling Amazon CloudWatch log forwarding Version 1.0 120

AWS Directory Service Administration Guide

Once enabled, the log forwarding capability will begin transmitting logs from your domain

controllers to the speciﬁed CloudWatch log group. Any logs created before log forwarding

is enabled will not be transferred to the CloudWatch log group.

Topics

• Using the AWS Management Console to enable Amazon CloudWatch Logs log forwarding

• Using the CLI or PowerShell to enable Amazon CloudWatch Logs log forwarding

Using the AWS Management Console to enable Amazon CloudWatch Logs log

forwarding

You can enable Amazon CloudWatch Logs log forwarding for your AWS Managed Microsoft AD in

the AWS Management Console.

1. In the AWS Directory Service console navigation pane, choose Directories.

2. Choose the directory ID of the AWS Managed Microsoft AD directory that you want to share.

3. On the Directory details page, do one of the following:

• If you have multiple Regions showing under Multi-Region replication, select the Region

where you want to enable log forwarding, and then choose the Networking & security tab.

For more information, see Primary vs additional Regions.

• If you do not have any Regions showing under Multi-Region replication, choose the

Networking & security tab.

4. In the Log forwarding section, choose Enable.

5. On the Enable log forwarding to CloudWatch dialog, choose either of the following options:

a. Select Create a new CloudWatch log group, under CloudWatch Log group name, specify

a name that you can refer to in CloudWatch Logs.

b. Select Choose an existing CloudWatch log group, and under Existing CloudWatch log

groups, select a log group from the menu.

6. Review the pricing information and link, and then choose Enable.

Enabling Amazon CloudWatch log forwarding Version 1.0 121

AWS Directory Service Administration Guide

Using the CLI or PowerShell to enable Amazon CloudWatch Logs log forwarding

Before you can use the ds create-log-subscription command, you must ﬁrst create

an Amazon CloudWatch log group and then create an IAM resource policy that will grant the

necessary permission to that group. To enable log forwarding using the CLI or PowerShell,

complete the following steps.

Step 1: Create a log group in CloudWatch Logs

Create a log group that will be used to receive the security logs from your domain controllers. We

recommend pre-pending the name with /aws/directoryservice/, but that is not required. For

example:

CLI Command

aws logs create-log-group --log-group-name '/aws/directoryservice/d-1111111111'

PowerShell Command

New-CWLLogGroup -LogGroupName '/aws/directoryservice/d-1111111111'

For instructions on how to create a CloudWatch Logs group, see Create a log group in CloudWatch

Logs in the Amazon CloudWatch Logs User Guide.

Step 2: Create a CloudWatch Logs resource policy in IAM

Create a CloudWatch Logs resource policy granting AWS Directory Service rights to add logs into

the new log group you created in Step 1. You can either specify the exact ARN to the log group

to limit AWS Directory Service’s access to other log groups or use a wild card to include all log

groups. The following sample policy uses the wild card method to identify that all log groups that

start with /aws/directoryservice/ for the AWS account where your directory resides will be

included.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"Service": "ds.amazonaws.com"

Enabling Amazon CloudWatch log forwarding Version 1.0 122

AWS Directory Service Administration Guide

"Action": [

"logs:CreateLogStream",

"logs:PutLogEvents"

"Resource": "arn:aws:logs:YOUR_REGION:YOUR_ACCOUNT_NUMBER:log-group:/aws/

directoryservice/*"

}

]

}

You will need to save this policy to a text ﬁle (for example DSPolicy.json) on your local workstation

as you will need to run it from the CLI. For example:

CLI Command

aws logs put-resource-policy --policy-name DSLogSubscription --policy-document

file://DSPolicy.json

PowerShell Command

$PolicyDocument = Get-Content .\DSPolicy.json –Raw

Write-CWLResourcePolicy -PolicyName DSLogSubscription -PolicyDocument

$PolicyDocument

Step 3: Create an AWS Directory Service log subscription

In this ﬁnal step, you can now proceed to enable log forwarding by creating the log subscription.

For example:

CLI Command

aws ds create-log-subscription --directory-id 'd-1111111111' --log-group-name '/aws/

directoryservice/d-1111111111'

PowerShell Command

New-DSLogSubscription -DirectoryId 'd-1111111111' -LogGroupName '/aws/

directoryservice/d-1111111111'

Enabling Amazon CloudWatch log forwarding Version 1.0 123

AWS Directory Service Administration Guide

Using CloudWatch to monitor your AWS Managed Microsoft AD domain

controllers' performance

AWS Directory Service integrates with Amazon CloudWatch to help provide you with important

performance metrics for each domain controller in your Active Directory. This means that you can

monitor domain controller performance counters, such as CPU and memory utilization. You can

also conﬁgure alarms and initiate automated actions to respond to periods of high utilization.

For example, you can conﬁgure an alarm for domain controller CPU utilization above 70 percent

and create an SNS topic to notify you when this occurs. You can use this SNS topic to initiate

automation, such as AWS Lambda functions, to increase the number of domain controllers to your

Active Directory.

For more information about monitoring your domain controllers, see Determining when to add

domain controllers with CloudWatch metrics.

There are fees associated with Amazon CloudWatch. For more information, see CloudWatch billing

and cost.

Important

Domain controller performance metrics with CloudWatch is unavailable in the Canada West

(Calgary) Region.

To enable CloudWatch, see Enabling Amazon CloudWatch Logs log forwarding for AWS

Managed Microsoft AD.

Finding domain controllers performance metrics in CloudWatch

In the Amazon CloudWatch console, metrics for a given service are grouped ﬁrst by the service's

namespace. You can add metric ﬁlters that are subordinate to that namespace. Use the following

procedure to locate the correct namespace and subordinate metric that is required to set up AWS

Managed Microsoft AD domain controller metrics in CloudWatch.

To ﬁnd domain controller metrics in the CloudWatch console

1. Sign in to the AWS Management Console and open the CloudWatch console at https://

console.aws.amazon.com/cloudwatch/.

2. In the navigation pane, choose Metrics.

Using CloudWatch to monitor your directory Version 1.0 124

AWS Directory Service Administration Guide

3. From the list of metrics, select the Directory Service namespace, and then from the list, select

the AWS Managed Microsoft AD metric.

For instructions on how to set up domain controller metrics using the CloudWatch console, see

How to automate AWS Managed Microsoft AD scaling based on utilization metrics in the AWS

Security Blog.

Determining when to add domain controllers with CloudWatch metrics

Load balancing across all of your domain controllers is important for the resilience and

performance of your Active Directory. To help you optimize the performance of your domain

controllers in AWS Managed Microsoft AD, we recommend that you ﬁrst monitor important metrics

in CloudWatch to form a baseline. During this process, you analyze your Active Directory over time

to identify your average and peak Active Directory utilization. After determining your baseline, you

can monitor these metrics on a regular basis to help determine when to add a domain controller to

your Active Directory.

The following metrics are important to monitor on a regular basis. For a full list of available

domain controller metrics in CloudWatch, see AWS Managed Microsoft AD performance counters.

• Domain controller-speciﬁc metrics, such as:

• Processor

• Memory

• Logical Disk

• Network Interface

• AWS Managed Microsoft AD directory-speciﬁc metrics, such as:

• LDAP searches

• Binds

• DNS queries

• Directory reads

• Directory writes

For instructions on how to set up domain controller metrics using the CloudWatch console,

see How to automate AWS Managed Microsoft AD scaling based on utilization metrics in the

Using CloudWatch to monitor your directory Version 1.0 125

AWS Directory Service Administration Guide

AWS Security Blog. For general information about metrics in CloudWatch, see Using Amazon

CloudWatch metrics in the Amazon CloudWatch User Guide.

For general information about domain controller planning, see Capacity planning for Active

Directory Domain Services on the Microsoft website.

AWS Managed Microsoft AD performance counters

The following table lists all performance counters available in Amazon CloudWatch for tracking

domain controller and directory performance in AWS Managed Microsoft AD.

Metric category Metric name

Database Cache % Hit

I/O Database Reads Average Latency

I/O Database Reads/sec

Database ==> Instances (NTDSA)

I/O Log Writes Average Latency

LDAP Bind Time

DRA Pending Replication Operations

DirectoryServices (NTDS)

DRA Pending Replication Synchronizations

Recursive Queries/sec

Recursive Query Failure/sec

TCP Query Received/sec

Total Query Received/sec

Total Response Sent/sec

DNS

UDP Query Received/sec

Avg. Disk Queue Length

LogicalDisk

% Free Space

Using CloudWatch to monitor your directory Version 1.0 126

AWS Directory Service Administration Guide

Metric category Metric name

% Committed Bytes in Use

Memory

Long-Term Average Standby Cache Lifetime (s)

Bytes Sent/sec

Bytes Received/sec

Network Interface

Current Bandwidth

ATQ Estimated Queue Delay

ATQ Request Latency

DS Directory Reads/Sec

DS Directory Searches/Sec

DS Directory Writes/Sec

LDAP Client Sessions

LDAP Searches/sec

NTDS

LDAP Successful Binds/sec

Processor % Processor Time

Kerberos Authentications

Security System-Wide Statistics

NTLM Authentications

Disabling Amazon CloudWatch log forwarding for AWS Managed

Microsoft AD

You can disable CloudWatch Logs log forwarding for your AWS Managed Microsoft AD in the AWS

Management Console. For more information on log forwarding, see the section called “Using

CloudWatch to monitor your directory”.

Disabling Amazon CloudWatch log forwarding Version 1.0 127

AWS Directory Service Administration Guide

1. In the AWS Directory Service console navigation pane, choose Directories.

2. Choose the directory ID of the AWS Managed Microsoft AD directory that you want to share.

3. On the Directory details page, do one of the following:

• If you have multiple Regions showing under Multi-Region replication, select the Region

where you want to disable log forwarding, and then choose the Networking & security tab.

For more information, see Primary vs additional Regions.

• If you do not have any Regions showing under Multi-Region replication, choose the

Networking & security tab.

4. In the Log forwarding section, choose Disable.

5. Once you’ve read the information in the Disable log forwarding dialog, choose Disable.

Monitoring DNS Server with Microsoft Event Viewer

You can audit your AWS Managed Microsoft AD DNS events, making it easier to identify and

troubleshoot DNS issues. For example, if a DNS record is missing, you can use the DNS audit event

log to help identify the root cause and ﬁx the issue. You can also use DNS audit event logs to

improve security by detecting and blocking requests from suspicious IP addresses.

To do that, you must be logged on with the Admin account or with an account that is a member of

the AWS Domain Name System Administrators group. For more information about this group, see

What gets created with your AWS Managed Microsoft AD.

To access Event Viewer for your AWS Managed Microsoft AD DNS

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the left navigation pane, choose Instances.

3. Locate an Amazon EC2 instance that is joined to your AWS Managed Microsoft AD directory.

Select the instance and then choose Connect.

4. Once connected to the Amazon EC2 instance, open the Start menu and select the Windows

Administrative Tools folder. Within the Administrative Tools folder, select Event Viewer.

5. In the Event Viewer window, choose Action and then choose Connect to Another Computer.

6. Select Another computer, type one of your AWS Managed Microsoft AD DNS servers name or

IP address, and choose OK.

7. In the left pane, navigate to Applications and Services Logs>Microsoft>Windows>DNS-

Server, and then select Audit.

Monitoring DNS Server with Microsoft Event Viewer Version 1.0 128

AWS Directory Service Administration Guide

Access to AWS applications and services from your AWS

Managed Microsoft AD

You can grant access to your AWS Managed Microsoft AD users to access AWS applications and

services. Some of these AWS applications and services include:

• Amazon Chime

• Amazon EC2

• Amazon QuickSight

• AWS Management Console

• Amazon WorkSpaces

You can also use access URLs and single sign-on with your AWS Managed Microsoft AD.

Tasks to access AWS applications and services from AWS Managed Microsoft AD

• Application compatibility for AWS Managed Microsoft AD

• Enabling access to AWS applications and services for your AWS Managed Microsoft AD

• Enabling AWS Management Console access with AWS Managed Microsoft AD credentials

• Creating an access URL for AWS Managed Microsoft AD

• Enabling single sign-on for AWS Managed Microsoft AD

Application compatibility for AWS Managed Microsoft AD

AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) is compatible

with multiple AWS services and third-party applications.

The following is a list of compatible AWS applications and services:

• Amazon Chime

• Amazon Connect

• Amazon EC2

• Amazon QuickSight

• Amazon RDS

Access to AWS applications and services Version 1.0 129

AWS Directory Service Administration Guide

• Amazon WorkDocs

• Amazon WorkMail

• AWS Client VPN

• AWS IAM Identity Center

• AWS License Manager

• AWS Management Console

• FSx for Windows File Server

• WorkSpaces

For more information, see Enabling access to AWS applications and services for your AWS Managed

Microsoft AD.

Due to the magnitude of custom and commercial oﬀ-the-shelf applications that use Active

Directory, AWS does not and cannot perform formal or broad veriﬁcation of third-party application

compatibility with AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft

AD). Although AWS works with customers in an attempt to overcome any potential application

installation challenges they might encounter, we are unable to guarantee that any application is or

will continue to be compatible with AWS Managed Microsoft AD.

The following third-party applications are compatible with AWS Managed Microsoft AD:

• Active Directory-Based Activation (ADBA)

• Active Directory Certiﬁcate Services (AD CS): Enterprise Certiﬁcate Authority

• Active Directory Federation Services (AD FS)

• Active Directory Users and Computers (ADUC)

• Application Server (.NET)

• Microsoft Entra (formerly known as Azure Active Directory (Azure AD))

• Microsoft Entra Connect (formerly known as Azure Active Directory Connect)

• Distributed File System Replication (DFSR)

• Distributed File System Namespaces (DFSN)

• Microsoft Remote Desktop Services Licensing Server

• Microsoft SharePoint Server

Application compatibility Version 1.0 130

AWS Directory Service Administration Guide

• Microsoft SQL Server (including SQL Server Always On Availability Groups)

• Microsoft System Center Conﬁguration Manager (SCCM) - The user deploying SCCM must be a

member of the AWS Delegated System Management Administrators group.

• Microsoft Windows and Windows Server OS

• Oﬃce 365

Note that not all conﬁgurations of these applications may be supported.

Compatibility guidelines

Although applications may have conﬁgurations that are incompatible, application deployment

conﬁgurations can often overcome incompatibility. The following describes the most common

reasons for application incompatibility. Customers can use this information to investigate

compatibility characteristics of a desired application and identify potential deployment changes.

• Domain administrator or other privileged permissions – Some applications state that you

must install them as the domain administrator. Because AWS must retain exclusive control of

this permission level in order to deliver Active Directory as a managed service, you cannot act

as the domain administrator to install such applications. However, you can often install such

applications by delegating speciﬁc, less privileged, and AWS supported permissions to the person

who performs the installation. For more details on the precise permissions that your application

requires, ask your application provider. For more information about permissions that AWS allows

you to delegate, see What gets created with your AWS Managed Microsoft AD.

• Access to privileged Active Directory containers – Within your directory, AWS Managed

Microsoft AD provides an Organizational Unit (OU) over which you have full administrative

control. You do not have create or write permissions and may have limited read permissions to

containers that are higher in the Active Directory tree than your OU. Applications that create or

access containers for which you have no permissions might not work. However, such applications

often have an ability to use a container that you create in your OU as an alternative. Check with

your application provider to ﬁnd ways to create and use a container in your OU as an alternative.

For more information on your OU, see What gets created with your AWS Managed Microsoft AD.

• Schema changes during the install workﬂow – Some Active Directory applications require

changes to the default Active Directory schema, and they may attempt to install those changes

as part of the application installation workﬂow. Due to the privileged nature of schema

extensions, AWS makes this possible by importing Lightweight Directory Interchange Format

(LDIF) ﬁles through the AWS Directory Service console, CLI, or SDK only. Such applications often

Application compatibility Version 1.0 131

AWS Directory Service Administration Guide

come with an LDIF ﬁle that you can apply to the directory through the AWS Directory Service

schema update process. For more information about how the LDIF import process works, see

Tutorial: Extending your AWS Managed Microsoft AD schema. You can install the application in a

way to bypass the schema installation during the installation process.

Known incompatible applications

The following lists commonly requested commercial oﬀ-the-shelf applications for which we have

not found a conﬁguration that works with AWS Managed Microsoft AD. AWS updates this list from

time to time at its sole discretion as a courtesy to help you avoid unproductive eﬀorts. AWS provide

this information without warranty or claims regarding current or future compatibility.

• Active Directory Certiﬁcate Services (AD CS): Certiﬁcate Enrollment Web Service

• Active Directory Certiﬁcate Services (AD CS): Certiﬁcate Enrollment Policy Web Service

• Microsoft Exchange Server

• Microsoft Skype for Business Server

Enabling access to AWS applications and services for your AWS

Managed Microsoft AD

Users can authorize AWS Managed Microsoft AD to give AWS applications and services, such as

Amazon WorkSpaces, access to your Active Directory. The following AWS applications and services

can be enabled or disabled to work with AWS Managed Microsoft AD.

AWS application / service More information...

Amazon Chime For more information, see the Connecting to

Active Directory.

Amazon Connect For more information, see the Amazon

Connect Administration Guide.

Amazon EC2 For more information, see Ways to join an

Amazon EC2 instance to your AWS Managed

Microsoft AD.

Enabling access to AWS applications and services Version 1.0 132

AWS Directory Service Administration Guide

AWS application / service More information...

Amazon FSx for Windows File Server For more information, see Using Amazon

FSx with AWS Directory Service for Microsoft

Active Directory.

Amazon QuickSight For more information, see the Using Active

Directory with Amazon QuickSight Enterprise

edition.

Amazon Relational Database Service For more information, see the following:

• Using Kerberos authentication for MySQL

• Using Kerberos authentication with Amazon

RDS for Oracle

• Using Kerberos authentication with Amazon

RDS for PostgreSQL

• Working with AWS Managed Microsoft AD

with Amazon RDS for SQL Server

Amazon WorkDocs For more information, see the Enable Amazon

WorkDocs for AWS Managed Microsoft AD.

Amazon WorkMail For more information, see the Creating an

organization.

Amazon WorkSpaces You can create a Simple AD, AWS Managed

Microsoft AD, or AD Connector directly from

WorkSpaces. Simply launch Advanced Setup

when creating your Workspace.

For more information, see the Register an

existing AWS Directory Service directory with

WorkSpaces Personal.

AWS Client VPN For more information, see the Active Directory

authentication in Client VPN.

Enabling access to AWS applications and services Version 1.0 133

AWS Directory Service Administration Guide

AWS application / service More information...

AWS IAM Identity Center For more information, see the Connect to a

Microsoft AD directory.

AWS License Manager For more information, see the Manage user-

based subscriptions in License Manager.

AWS Management Console For more information, see Enabling AWS

Management Console access with AWS

Managed Microsoft AD credentials.

AWS Private Certiﬁcate Authority For more information, see AWS Private CA

Connector for Active Directory.

AWS Transfer Family For more information, see the Conﬁguring an

SFTP, FTPS, or FTP server endpoint.

Once enabled, you manage access to your directories in the console of the application or service

that you want to give access to your directory.

Find AWS applications and services

To ﬁnd the AWS applications and services previously described in the AWS Directory Service

console, perform the following steps.

1. In the AWS Directory Service console navigation pane, choose Directories.

2. On the Directories page, choose your directory ID.

3. On the Directory details page, select the Application management tab.

4. Review the list under the AWS apps & services section.

For more information about how to authorize or deauthorize AWS applications and services using

AWS Directory Service, see Authorization for AWS applications and services using AWS Directory

Service.

Enabling access to AWS applications and services Version 1.0 134

AWS Directory Service Administration Guide

Enabling AWS Management Console access with AWS Managed

Microsoft AD credentials

AWS Directory Service allows you to grant members of your directory access to the AWS

Management Console. By default, your directory members do not have access to any AWS

resources. You assign IAM roles to your directory members to give them access to the various AWS

services and resources. The IAM role deﬁnes the services, resources, and level of access that your

directory members have.

Before you can grant console access to your directory members, your directory must have an

access URL. For more information about how to view directory details and get your access URL, see

Viewing AWS Managed Microsoft AD directory information. For more information about how to

create an access URL, see Creating an access URL for AWS Managed Microsoft AD.

For more information about how to create and assign IAM roles to your directory members, see

Granting AWS Managed Microsoft AD users and groups access to AWS resources with IAM roles.

Topics

• Enabling AWS Management Console access

• Disabling AWS Management Console access

• Setting AWS Management Console login session length

Directory

• Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory

• Joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory

• Joining an Amazon EC2 Mac instance to your AWS Managed Microsoft AD Active Directory

• Delegating directory join privileges for AWS Managed Microsoft AD

• Creating or changing a DHCP options set for AWS Managed Microsoft AD

Launching a directory administration instance in your AWS Managed

Microsoft AD Active Directory

This procedure launches an Amazon EC2 directory administration Windows instance in the AWS

Management Console using AWS Systems Manager Automation to manage your directories. You

can also accomplish this by running the automation AWS-CreateDSManagementInstance in the

AWS Systems Manager Automation console directly.

Ways to join an instance to your directory Version 1.0 210

AWS Directory Service Administration Guide

Prerequisites

To launch a directory administration EC2 instance from the console, you must have the following

permissions enabled in your account.

•

ds:DescribeDirectories

•

ec2:AuthorizeSecurityGroupIngress

•

ec2:CreateSecurityGroup

•

ec2:CreateTags

•

ec2:DeleteSecurityGroup

•

ec2:DescribeInstances

•

ec2:DescribeInstanceStatus

•

ec2:DescribeKeyPairs

•

ec2:DescribeSecurityGroups

•

ec2:DescribeVpcs

•

ec2:RunInstances

•

ec2:TerminateInstances

•

iam:AddRoleToInstanceProfile

•

iam:AttachRolePolicy

•

iam:CreateInstanceProfile

•

iam:CreateRole

•

iam:DeleteInstanceProfile

•

iam:DeleteRole

•

iam:DetachRolePolicy

•

iam:GetInstanceProfile

•

iam:GetRole

•

iam:ListAttachedRolePolicies

•

iam:ListInstanceProfiles

•

iam:ListInstanceProfilesForRole

•

iam:PassRole

Launching a directory administration instance Version 1.0 211

AWS Directory Service Administration Guide

•

iam:RemoveRoleFromInstanceProfile

•

iam:TagInstanceProfile

•

iam:TagRole

•

ssm:CreateDocument

•

ssm:DeleteDocument

•

ssm:DescribeInstanceInformation

•

ssm:GetAutomationExecution

•

ssm:GetParameters

•

ssm:ListCommandInvocations

•

ssm:ListCommands

•

ssm:ListDocuments

•

ssm:SendCommand

•

ssm:StartAutomationExecution

•

ssm:GetDocument

Launching a directory administration EC2 instance in the AWS Management

Console

1. Sign in to the AWS Directory Service console.

2. Under Active Directory, choose Directories.

3. Choose the Directory ID of the directory where you want to launch a directory administration

EC2 instance.

4. On the directory page, in the top right corner, choose Actions.

5. In the Actions dropdown list, choose Launch directory administration EC2 instance.

6. On the Launch directory administration EC2 instance page, under Input parameters,

complete the ﬁelds.

a. (Optional) You can provide a key pair for the instance. From the Key Pair Name - optional

dropdown list, select a key pair.

b. (Optional) Choose View AWS CLI command to see an example that you use in the AWS

CLI to run this automation.

7. Choose Submit.

Launching a directory administration instance Version 1.0 212

AWS Directory Service Administration Guide

8. You're taken back to the directory page. A green ﬂashbar displays at the top of your screen to

indicate that you successfully began the launch.

Viewing directory administration EC2 instance

If you haven't launched any EC2 instances for a directory, a dash (-) displays under Directory

administration EC2 instance.

1. Under Active Directory, choose Directories and select the directory you want to view.

2. Under Directory details, under Directory administration EC2 instance, choose one or all of

your instances to view.

3. When you choose an instance, you're routed to the EC2 Connect to instance page to connect a

remote desktop to your instance.

Joining an Amazon EC2 Windows instance to your AWS Managed

Microsoft AD Active Directory

You can launch and join an Amazon EC2 Windows instance to an AWS Managed Microsoft AD.

Alternatively, you can manually join an existing EC2 Windows instance to an AWS Managed

Microsoft AD.

Seamlessly join EC2 Windows instance

This procedure seamlessly joins an Amazon EC2 Windows instance to your AWS Managed

Microsoft AD. If you need to perform seamless domain join across multiple AWS accounts, see

Tutorial: Sharing your AWS Managed Microsoft AD directory for seamless EC2 domain-join. For

more information about Amazon EC2, see What is Amazon EC2?.

To seamlessly join an Amazon EC2 Windows instance

1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://

console.aws.amazon.com/ec2/.

2. In the navigation bar, choose the same AWS Region as the existing directory.

3. On the EC2 Dashboard, in the Launch instance section, choose Launch instance.

4. On the Launch an instance page, under the Name and Tags section, enter the name you

would like to use for your Windows EC2 instance.

Joining a Windows instance Version 1.0 213

AWS Directory Service Administration Guide

5. (Optional) Choose Add additional tags to add one or more tag key-value pairs to organize,

track, or control access for this EC2 instance.

6. In the Application and OS Image (Amazon Machine Image) section, choose Windows in

the Quick Start pane. You can change the Windows Amazon Machine Image (AMI) from the

Amazon Machine Image (AMI) dropdown list.

7. In the Instance type section, choose the instance type you would like to use from Instance

type dropdown list.

8. In the Key pair (login) section, you can either choose to create a new key pair or choose

from an existing key pair.

a. To create a new key pair, choose Create new key pair.

b. Enter a name for the key pair and select an option for the Key pair type and Private

key ﬁle format.

c. To save the private key in a format that can be used with OpenSSH, choose .pem. To

save the private key in a format that can be used with PuTTY, choose .ppk.

d. Choose create key pair.

e. The private key ﬁle is automatically downloaded by your browser. Save the private key

ﬁle in a safe place.

Important

This is the only chance for you to save the private key ﬁle.

9. On the Launch an instance page, under Network settings section, choose Edit. Choose the

VPC that your directory was created in from the VPC - required dropdown list.

10. Choose one of the public subnets in your VPC from the Subnet dropdown list. The subnet

you choose must have all external traﬃc routed to an internet gateway. If this is not the

case, you won't be able to connect to the instance remotely.

For more information on how to connect to a internet gateway, see Connect to the internet

using an internet gateway in the Amazon VPC User Guide.

11. Under Auto-assign public IP, choose Enable.

For more information about public and private IP addressing, see Amazon EC2 instance IP

addressing in the Amazon EC2 User Guide.

Joining a Windows instance Version 1.0 214

AWS Directory Service Administration Guide

12. For Firewall (security groups) settings, you can use the default settings or make changes

to meet your needs.

13. For Conﬁgure storage settings, you can use the default settings or make changes to meet

your needs.

14. Select Advanced details section, choose your domain from the Domain join directory

dropdown list.

Note

After choosing the Domain join directory, you may see:

This error occurs if the EC2 launch wizard identiﬁes an existing SSM document with

unexpected properties. You can do one of the following:

• If you previously edited the SSM document and the properties are expected,

choose close and proceed to launch the EC2 instance with no changes.

• Select the delete the existing SSM document here link to delete the SSM

document. This will allow for the creation of an SSM document with the correct

properties. The SSM document will automatically be created when you launch the

EC2 instance.

15. For IAM instance proﬁle, you can select an existing IAM instance proﬁle or create

a new one. Select an IAM instance proﬁle that has the AWS managed policies

AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess attached to

it from the IAM instance proﬁle dropdown list. To create a new one, choose Create new

IAM proﬁle link, and then do the following:

1. Choose Create role.

2. Under Select trusted entity, choose AWS service.

3. Under Use case, choose EC2.

Joining a Windows instance Version 1.0 215

AWS Directory Service Administration Guide

4. Under Add permissions, in the list of policies, select the

AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess policies.

To ﬁlter the list, type SSM in the search box. Choose Next.

Note

AmazonSSMDirectoryServiceAccess provides the permissions to join

instances to an Active Directory managed by AWS Directory Service.

AmazonSSMManagedInstanceCore provides the minimum permissions

necessary to use the AWS Systems Manager service. For more information

about creating a role with these permissions, and for information about other

permissions and policies you can assign to your IAM role, see Create an IAM

instance proﬁle for Systems Manager in the AWS Systems Manager User Guide.

5. On the Name, review, and create page, enter a Role name. You will need this role name

to attach to the EC2 instance.

6. (Optional) You can provide a description of the IAM instance proﬁle in the Description

ﬁeld.

7. Choose Create role.

8. Return to Launch an instance page and choose the refresh icon next to the IAM instance

proﬁle. Your new IAM instance proﬁle should be visible in the IAM instance proﬁle

dropdown list. Choose the new proﬁle and leave the rest of the settings with their

default values.

16. Choose Launch instance.

Manually join EC2 Windows instnace

To manually join an existing Amazon EC2 Windows instance to an AWS Managed Microsoft AD

Active Directory, the instance must be launched using the parameters as speciﬁed in Joining an

Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory.

You will need the IP addresses of the AWS Managed Microsoft AD DNS servers. This information

can be found under Directory Services > Directories > the Directory ID link for your directory

> Directory details and Networking & Security sections.

Joining a Windows instance Version 1.0 216

AWS Directory Service Administration Guide

To join a Windows instance to an AWS Managed Microsoft AD Active Directory

1. Connect to the instance using any Remote Desktop Protocol client.

2. Open the TCP/IPv4 properties dialog box on the instance.

a. Open Network Connections.

Tip

You can open Network Connections directly by running the following from a

command prompt on the instance.

%SystemRoot%\system32\control.exe ncpa.cpl

b. Open the context menu (right-click) for any enabled network connection and then

choose Properties.

c. In the connection properties dialog box, open (double-click) Internet Protocol Version

Joining a Windows instance Version 1.0 217

AWS Directory Service Administration Guide

3. Select Use the following DNS server addresses, change the Preferred DNS server and

Alternate DNS server addresses to the IP addresses of your AWS Managed Microsoft AD-

provided DNS servers, and choose OK.

4. Open the System Properties dialog box for the instance, select the Computer Name tab,

and choose Change.

Tip

You can open the System Properties dialog box directly by running the following

from a command prompt on the instance.

%SystemRoot%\system32\control.exe sysdm.cpl

5. In the Member of ﬁeld, select Domain, enter the fully qualiﬁed name of your AWS

Managed Microsoft AD Active Directory, and choose OK.

6. When prompted for the name and password for the domain administrator, enter

the username and password of an account that has domain join privileges. For more

Joining a Windows instance Version 1.0 218

AWS Directory Service Administration Guide

information about delegating these privileges, see Delegating directory join privileges for

AWS Managed Microsoft AD.

Note

You can enter either the fully qualiﬁed name of your domain or the NetBIOS

name, followed by a backslash (\), and then the username. The username would be

Admin. For example, corp.example.com\admin or corp\admin.

7. After you receive the message welcoming you to the domain, restart the instance to have

the changes take eﬀect.

Now that your instance has been joined to the AWS Managed Microsoft AD Active Directory

domain, you can log into that instance remotely and install utilities to manage the directory,

such as adding users and groups. The Active Directory Administration Tools can be used to

create users and groups. For more information, see Installing Active Directory Administration

Tools for AWS Managed Microsoft AD.

Note

You can also use Amazon Route53 to process DNS queries instead of manually

changing the DNS addresses on your Amazon EC2 instances. For more information, see

Integrating your Directory Service's DNS resolution with Amazon Route53 Resolver and

Forwarding outbound DNS queries to your network.

Joining an Amazon EC2 Linux instance to your AWS Managed Microsoft

AD Active Directory

You can launch and join an EC2 Linux instance to your AWS Managed Microsoft AD in the AWS

Management Console. You can also manually join EC2 Linux instance to your AWS Managed

Microsoft AD. Tools like Winbind can also be used so you can domain join an EC2 Linux instance to

your AWS Managed Microsoft AD.

The following Linux instance distributions and versions are supported:

• Amazon Linux AMI 2018.03.0

Joining a Linux instance Version 1.0 219

AWS Directory Service Administration Guide

• Amazon Linux 2 (64-bit x86)

• Red Hat Enterprise Linux 8 (HVM) (64-bit x86)

• Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS

• CentOS 7 x86-64

• SUSE Linux Enterprise Server 15 SP1

Note

Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 do not support the

seamless domain join feature.

Ways to domain join a EC2 Linux instance:

• Seamlessly joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active

Directory

• Seamlessly joining an Amazon EC2 Linux instance to a shared AWS Managed Microsoft AD

• Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active

Directory

• Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active

Directory using Winbind

Seamlessly joining an Amazon EC2 Linux instance to your AWS Managed

Microsoft AD Active Directory

This procedure seamlessly joins an Amazon EC2 Linux instance to your AWS Managed Microsoft AD

Active Directory. If you need to perform seamless domain join across multiple AWS accounts, you

can optionally choose to enable Directory sharing.

The following Linux instance distributions and versions are supported:

• Amazon Linux AMI 2018.03.0

• Amazon Linux 2 (64-bit x86)

• Red Hat Enterprise Linux 8 (HVM) (64-bit x86)

• Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS

Joining a Linux instance Version 1.0 220

AWS Directory Service Administration Guide

• CentOS 7 x86-64

• SUSE Linux Enterprise Server 15 SP1

Note

Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 do not support the

seamless domain join feature.

For a demonstration on the process of seamlessly joining a Linux instance to your AWS Managed

Microsoft AD Active Directory, see the following YouTube video.

Amazon EC2 for Linux seamless AD domain join demo

Prerequisites

Before you can set up seamless domain join to a Linux instance, you need to complete the

procedures in this section.

Select your seamless domain join service account

You can seamlessly join Linux computers to your AWS Managed Microsoft AD Active Directory

domain. To do that, you must use a user account with create computer account permissions

to join the machines to the domain. Although members of the AWS delegated administrators

or other groups might have suﬃcient privileges to join computers to the domain, we do not

recommend using these. As a best practice, we recommend that you use a service account that has

the minimum privileges necessary to join the computers to the domain.

To delegate an account with the minimum privileges necessary to join the computers to the

domain, you can run the following PowerShell commands. You must run these commands from

a domain-joined Windows computer with the Installing Active Directory Administration Tools for

AWS Managed Microsoft AD installed. In addition, you must use an account that has permission

to modify the permissions on your Computers OU or container. The PowerShell command sets

permissions allowing the service account to create computer objects in your domain’s default

computers container.

$AccountName = 'awsSeamlessDomain'

# DO NOT modify anything below this comment.

# Getting Active Directory information.

Joining a Linux instance Version 1.0 221

AWS Directory Service Administration Guide

Import-Module 'ActiveDirectory'

$Domain = Get-ADDomain -ErrorAction Stop

$BaseDn = $Domain.DistinguishedName

$ComputersContainer = $Domain.ComputersContainer

$SchemaNamingContext = Get-ADRootDSE | Select-Object -ExpandProperty

'schemaNamingContext'

[System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $SchemaNamingContext

-Filter { lDAPDisplayName -eq 'Computer' } -Properties 'schemaIDGUID').schemaIDGUID

# Getting Service account Information.

$AccountProperties = Get-ADUser -Identity $AccountName

$AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier'

$AccountProperties.SID.Value

# Getting ACL settings for the Computers container.

$ObjectAcl = Get-ACL -Path "AD:\$ComputersContainer"

# Setting ACL allowing the service account the ability to create child computer objects

in the Computers container.

$AddAccessRule = New-Object -TypeName

'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'CreateChild',

'Allow', $ServicePrincipalNameGUID, 'All'

$ObjectAcl.AddAccessRule($AddAccessRule)

Set-ACL -AclObject $ObjectAcl -Path "AD:\$ComputersContainer"

If you prefer using a graphical user interface (GUI) you can use the manual process that is described

in Delegate privileges to your service account.

Create the secrets to store the domain service account

You can use AWS Secrets Manager to store the domain service account.

To create secrets and store the domain service account information

1. Sign in to the AWS Management Console and open the AWS Secrets Manager console at

https://console.aws.amazon.com/secretsmanager/.

2. Choose Store a new secret.

3. On the Store a new secret page, do the following:

a. Under Secret type, choose Other type of secrets.

b. Under Key/value pairs, do the following:

In the ﬁrst box, enter awsSeamlessDomainUsername. On the same row, in

the next box, enter the username for your service account. For example, if you

Joining a Linux instance Version 1.0 222

AWS Directory Service Administration Guide

used the PowerShell command previously, the service account name would be

awsSeamlessDomain.

Note

You must enter awsSeamlessDomainUsername exactly as it is. Make sure

there are not any leading or ending spaces. Otherwise the domain join will

fail.

ii. Choose Add row.

iii.

On the new row, in the ﬁrst box, enter awsSeamlessDomainPassword. On the same

row, in the next box, enter the password for your service account.

Joining a Linux instance Version 1.0 223

AWS Directory Service Administration Guide

Note

You must enter awsSeamlessDomainPassword exactly as it is. Make sure

there are not any leading or ending spaces. Otherwise the domain join will

fail.

iv.

Under Encryption key, leave the default value aws/secretsmanager. AWS Secrets

Manager always encrypts the secret when you choose this option. You also may

choose a key you created.

Note

There are fees associated with AWS Secrets Manager, depending on which

secret you use. For the current complete pricing list, see AWS Secrets Manager

Pricing.

You can use the AWS managed key aws/secretsmanager that Secrets

Manager creates to encrypt your secrets for free. If you create your own KMS

keys to encrypt your secrets, AWS charges you at the current AWS KMS rate.

For more information, see AWS Key Management Service Pricing.

v. Choose Next.

4. Under Secret name, enter a secret name that includes your directory ID using the following

format, replacing d-xxxxxxxxx with your directory ID:

aws/directory-services/d-xxxxxxxxx/seamless-domain-join

This will be used to retrieve secrets in the application.

Note

You must enter aws/directory-services/d-xxxxxxxxx/seamless-domain-

join exactly as it is but replace d-xxxxxxxxxx with your directory ID. Make sure that

there are no leading or ending spaces. Otherwise the domain join will fail.

Joining a Linux instance Version 1.0 224

AWS Directory Service Administration Guide

5. Leave everything else set to defaults, and then choose Next.

6. Under Conﬁgure automatic rotation, choose Disable automatic rotation, and then choose

Next.

You can turn on rotation for this secret after you store it.

7. Review the settings, and then choose Store to save your changes. The Secrets Manager console

returns you to the list of secrets in your account with your new secret now included in the list.

8. Choose your newly created secret name from the list, and take note of the Secret ARN value.

You will need it in the next section.

Joining a Linux instance Version 1.0 225

AWS Directory Service Administration Guide

Turn on rotation for the domain service account secret

We recommend that you regularly rotate secrets to improve your security posture.

To turn on rotation for the domain service account secret

• Follow the instructions in Set up automatic rotation for AWS Secrets Manager secrets in the

AWS Secrets Manager User Guide.

For Step 5, use the rotation template Microsoft Active Directory credentials in the AWS Secrets

Manager User Guide.

For help, see Troubleshoot AWS Secrets Manager rotation in the AWS Secrets Manager User

Guide.

Create the required IAM policy and role

Use the following prerequisite steps to create a custom policy that allows read-only access to your

Secrets Manager seamless domain join secret (which you created earlier), and to create a new

LinuxEC2DomainJoin IAM role.

Create the Secrets Manager IAM read policy

You use the IAM console to create a policy that grants read-only access to your Secrets Manager

secret.

To create the Secrets Manager IAM read policy

1. Sign in to the AWS Management Console as a user that has permission to create IAM policies.

Then open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, Access Management, choose Policies.

3. Choose Create policy.

4. Choose the JSON tab and copy the text from the following JSON policy document. Then paste

it into the JSON text box.

Note

Make sure you replace the Region and Resource ARN with the actual Region and ARN

of the secret that you created earlier.

Joining a Linux instance Version 1.0 226

AWS Directory Service Administration Guide

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"secretsmanager:GetSecretValue",

"secretsmanager:DescribeSecret"

"Resource": [

"arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:aws/directory-

services/d-xxxxxxxxx/seamless-domain-join"

]

}

]

}

5. When you are ﬁnished, choose Next. The policy validator reports any syntax errors. For more

information, see Validating IAM policies.

On the Review policy page, enter a policy name, such as SM-Secret-Linux-DJ-d-

xxxxxxxxxx-Read. Review the Summary section to see the permissions that your policy

grants. Then choose Create policy to save your changes. The new policy appears in the list of

managed policies and is now ready to attach to an identity.

Note

We recommend you create one policy per secret. Doing so ensures that instances only have

access to the appropriate secret and minimizes the impact if an instance is compromised.

Create the LinuxEC2DomainJoin role

You use the IAM console to create the role that you will use to domain join your Linux EC2 instance.

To create the LinuxEC2DomainJoin role

1. Sign in to the AWS Management Console as a user that has permission to create IAM policies.

Then open the IAM console at https://console.aws.amazon.com/iam/.

Joining a Linux instance Version 1.0 227

AWS Directory Service Administration Guide

2. In the navigation pane, under Access Management, choose Roles.

3. In the content pane, choose Create role.

4. Under Select type of trusted entity, choose AWS service.

5. Under Use case, choose EC2, and then choose Next.

6. For Filter policies, do the following:

Enter AmazonSSMManagedInstanceCore. Then select the check box for that item in the

list.

Enter AmazonSSMDirectoryServiceAccess. Then select the check box for that item in

the list.

Enter SM-Secret-Linux-DJ-d-xxxxxxxxxx-Read (or the name of the policy that you

created in the previous procedure). Then select the check box for that item in the list.

d. After adding the three policies listed above, select Create role.

Note

AmazonSSMDirectoryServiceAccess provides the permissions to join

instances to an Active Directory managed by AWS Directory Service.

AmazonSSMManagedInstanceCore provides the minimum permissions necessary to

use the AWS Systems Manager service. For more information about creating a role with

these permissions, and for information about other permissions and policies you can

Joining a Linux instance Version 1.0 228

AWS Directory Service Administration Guide

assign to your IAM role, see Create an IAM instance proﬁle for Systems Manager in the

AWS Systems Manager User Guide.

Enter a name for your new role, such as LinuxEC2DomainJoin or another name that you

prefer in the Role name ﬁeld.

8. (Optional) For Role description, enter a description.

9. (Optional) Choose Add new tag under Step 3: Add tags to add tags. Tag key-value pairs are

used to organize, track, or control access for this role.

10. Choose Create role.

Seamlessly join your Linux instance

To seamlessly join your Linux instance

1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://

console.aws.amazon.com/ec2/.

2. From the Region selector in the navigation bar, choose the same AWS Region as the existing

directory.

3. On the EC2 Dashboard, in the Launch instance section, choose Launch instance.

4. On the Launch an instance page, under the Name and Tags section, enter the name you

would like to use for your Linux EC2 instance.

5. (Optional) Choose Add additional tags to add one or more tag key-value pairs to organize,

track, or control access for this EC2 instance.

6. In the Application and OS Image (Amazon Machine Image) section, choose a Linux AMI you

wish to launch.

Note

The AMI used must have AWS Systems Manager (SSM Agent) version 2.3.1644.0 or

higher. To check the installed SSM Agent version in your AMI by launching an instance

from that AMI, see Getting the currently installed SSM Agent version. If you need to

upgrade the SSM Agent, see Installing and conﬁguring SSM Agent on EC2 instances for

Linux.

SSM uses the aws:domainJoin plugin when joining a Linux instance to a Active

Directory domain. The plugin changes the hostname for the Linux instances to the

format EC2AMAZ-XXXXXXX. For more information about aws:domainJoin, see AWS

Joining a Linux instance Version 1.0 229

AWS Directory Service Administration Guide

Systems Manager command document plugin reference in the AWS Systems Manager

User Guide.

7. In the Instance type section, choose the instance type you would like to use from Instance

type dropdown list.

8. In the Key pair (login) section, you can either choose to create a new key pair or choose from

an existing key pair. To create a new key pair, choose Create new key pair. Enter a name for

the key pair and select an option for the Key pair type and Private key ﬁle format. To save the

private key in a format that can be used with OpenSSH, choose .pem. To save the private key

in a format that can be used with PuTTY, choose .ppk. Choose create key pair. The private key

ﬁle is automatically downloaded by your browser. Save the private key ﬁle in a safe place.

Important

This is the only chance for you to save the private key ﬁle.

9. On the Launch an instance page, under Network settings section, choose Edit. Choose the

VPC that your directory was created in from the VPC - required dropdown list.

10. Choose one of the public subnets in your VPC from the Subnet dropdown list. The subnet you

choose must have all external traﬃc routed to an internet gateway. If this is not the case, you

won't be able to connect to the instance remotely.

For more information on how to connect to a internet gateway, see Connect to the internet

using an internet gateway in the Amazon VPC User Guide.

11. Under Auto-assign public IP, choose Enable.

For more information about public and private IP addressing, see Amazon EC2 instance IP

addressing in the Amazon EC2 User Guide.

12. For Firewall (security groups) settings, you can use the default settings or make changes to

meet your needs.

13. For Conﬁgure storage settings, you can use the default settings or make changes to meet your

needs.

14. Select Advanced details section, choose your domain from the Domain join directory

dropdown list.

Joining a Linux instance Version 1.0 230

AWS Directory Service Administration Guide

Note

After choosing the Domain join directory, you may see:

This error occurs if the EC2 launch wizard identiﬁes an existing SSM document with

unexpected properties. You can do one of the following:

• If you previously edited the SSM document and the properties are expected, choose

close and proceed to launch the EC2 instance with no changes.

• Select the delete the existing SSM document here link to delete the SSM document.

This will allow for the creation of an SSM document with the correct properties. The

SSM document will automatically be created when you launch the EC2 instance.

15. For IAM instance proﬁle, choose the IAM role that you previously created in the prerequisites

section Step 2: Create the LinuxEC2DomainJoin role.

16. Choose Launch instance.

Note

If you are performing a seamless domain join with SUSE Linux, a reboot is required before

authentications will work. To reboot SUSE from the Linux terminal, type sudo reboot.

Seamlessly joining an Amazon EC2 Linux instance to a shared AWS Managed

Microsoft AD

In this procedure, you'll seamlessly join an Amazon EC2 Linux instance to a shared AWS Managed

Microsoft AD. To do this, you'll create an AWS Secrets Manager IAM read policy in the EC2 instance

role in the account where you wish to launch the EC2 Linux instance. This will be referred to as

Account 2 in this procedure. This instance will be using the AWS Managed Microsoft AD that is

being shared from the other account which is referred to as Account 1.

Joining a Linux instance Version 1.0 231

AWS Directory Service Administration Guide

Prerequisites

Before you can seamlessly join an Amazon EC2 Linux instance to a shared AWS Managed Microsoft

AD, you'll need to complete the following:

• Steps 1 through 3 in the tutorial, Tutorial: Sharing your AWS Managed Microsoft AD directory for

seamless EC2 domain-join. This tutorial walks you through setting up your network and sharing

your AWS Managed Microsoft AD.

• The procedure outlined in Seamlessly joining an Amazon EC2 Linux instance to your AWS

Managed Microsoft AD Active Directory.

Step 1. Create LinuxEC2DomainJoin role in Account 2

In this step, you'll use the IAM console to create the IAM role that you'll use to domain join your

EC2 Linux instance while signed in to Account 2.

Create the LinuxEC2DomainJoin role

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the left navigation pane, under Access Management, choose Roles.

3. On the Roles page, choose Create role.

4. Under Select type of trusted entity, choose AWS service.

5. Under Use case, choose EC2, and then choose Next

6. For Filter policies, do the following:

Enter AmazonSSMManagedInstanceCore. Then select the checkbox for that item in the

list.

Enter AmazonSSMDirectoryServiceAccess. Then select the checkbox for that item in

the list.

c. After adding these policies, select Create role.

Note

AmazonSSMDirectoryServiceAccess provides the permissions to

join instances to an Active Directory managed by AWS Directory Service.

AmazonSSMManagedInstanceCore provides the minimum permissions

necessary to use AWS Systems Manager. For more information about creating

Joining a Linux instance Version 1.0 232

AWS Directory Service Administration Guide

a role with these permissions, and for information about other permissions and

policies you can assign to your IAM role, see Conﬁgure instance permissions

required for Systems Manager in the AWS Systems Manager User Guide.

Enter a name for your new role, such as LinuxEC2DomainJoin or another name that you

prefer in the Role name ﬁeld.

8. (Optional) For Role description, enter a description.

9. (Optional) Choose Add new tag under Step 3: Add tags to add tags. Tag key-value pairs are

used to organize, track, or control access for this role.

10. Choose Create role.

Step 2. Create cross account resource access to share AWS Secrets Manager secrets

The next section are additional requirements that need to be met to seamlessly join EC2 Linux

instances with a shared AWS Managed Microsoft AD. These requirements include creating resource

policies and attaching them to the appropriate services and resources.

To allow users in an account to access AWS Secrets Manager secrets in another account, you must

allow access in both a resource policy and identity policy. This type of access is called cross account

resource access.

This type of access is diﬀerent than granting access to identities in the same account as the Secrets

Manager secret. You must also allow the identity to use AWS Key Management Service (KMS) key

that the secret is encrypted with. This permission is necessary as you can’t use the AWS managed

key (aws/secretsmanager) for cross-account access. Instead, you'll encrypt your secret with a

KMS key that you create, and then attach a key policy to it. To change the encryption key for a

secret, see Modify an AWS Secrets Manager secret.

Note

There are fees associated with AWS Secrets Manager, depending on which secret you use.

For the current complete pricing list, see AWS Secrets Manager Pricing. You can use the

AWS managed key aws/secretsmanager that Secrets Manager creates to encrypt your

secrets for free. If you create your own KMS keys to encrypt your secrets, AWS charges you

at the current AWS KMS rate. For more information, see AWS Key Management Service

Pricing.

Joining a Linux instance Version 1.0 233

AWS Directory Service Administration Guide

The following steps allow you to create the resource policies to enable users to seamlessly join a

EC2 Linux instance to a shared AWS Managed Microsoft AD.

Attach a resource policy to the secret in Account 1

1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

2. From the list of secrets, choose your Secret you created during the Prerequisites.

3. On the Secret's details page under the Overview tab, scroll down to Resource permissions.

4. Select Edit permissions.

• In the policy ﬁeld, enter the following policy. The following policy allows

LinuxEC2DomainJoin in Account 2 to access the secret in Account 1. Replace the ARN

value with the ARN value for your Account 2, LinuxEC2DomainJoin role you created

in Step 1. To use this policy, see Attach a permissions policy to an AWS Secrets Manager

secret.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::Account2:role/LinuxEC2DomainJoin"

"Action": "secretsmanager:GetSecretValue",

"Resource": "*"

}

]

}

Add a statement to the key policy for the KMS key in Account 1

1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

2. In the left navigation pane, select Customer managed keys.

3. On the Customer managed keys page, select the key you created.

4. On the Key Details page, navigate to Key policy, and select Edit.

Joining a Linux instance Version 1.0 234

AWS Directory Service Administration Guide

The following key policy statement allows ApplicationRole in Account 2 to use the KMS

key in Account 1 to decrypt the secret in Account 1. To use this statement, add it to the key

policy for your KMS key. For more information, see Changing a key policy.

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::Account2:role/ApplicationRole"

"Action": [

"kms:Decrypt",

"kms:DescribeKey"

"Resource": "*"

}

Create an identity policy to the identity in Account 2

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the left navigation pane, under Access management, select Policies.

3. Select Create Policy. Choose JSON in the Policy editor.

The following policy allows ApplicationRole in Account 2 to access the secret in Account

1 and decrypt the secret value by using the encryption key which is also in Account 1. You

can ﬁnd the ARN for your secret in the Secrets Manager console on the Secret Details page

under Secret ARN. Alternatively, you can call describe-secret to identify the secret’s ARN.

Replace the Resource ARN with the Resource ARN for the secret ARN and Account 1. To use

this policy, see Attach a permissions policy to an AWS Secrets Manager secret.

{

"Version" : "2012-10-17",

"Statement" : [

{

"Effect": "Allow",

"Action": "secretsmanager:GetSecretValue",

"Resource": "SecretARN"

{

Joining a Linux instance Version 1.0 235

AWS Directory Service Administration Guide

"Effect": "Allow",

"Action": [

"kms:Decrypt",

"kms:Describekey"

"Resource": "arn:aws:kms:Region:Account1:key/Your_Encryption_Key"

}

]

}

5. Select Next and then select Save changes.

Find and select the Role you created in Account 2 in Attach a resource policy to the secret in

Account 1.

7. Under Add permissions, select Attach policies.

8. In the search bar, ﬁnd the policy you created in Add a statement to the key policy for the KMS

key in Account 1 and select the box to add the policy to the role. Then select Add permissions.

Step 3. Seamlessly join your Linux instance

You can now use the following procedure to seamlessly join your EC2 Linux instance to your shared

AWS Managed Microsoft AD.

To seamlessly join your Linux instance

1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://

console.aws.amazon.com/ec2/.

2. From the Region selector in the navigation bar, choose the same AWS Region as the existing

directory.

3. On the EC2 Dashboard, in the Launch instance section, choose Launch instance.

4. On the Launch an instance page, under the Name and Tags section, enter the name you

would like to use for your Linux EC2 instance.

5. (Optional) Choose Add additional tags to add one or more tag key-value pairs to organize,

track, or control access for this EC2 instance.

6. In the Application and OS Image (Amazon Machine Image) section, choose a Linux AMI you

wish to launch.

Joining a Linux instance Version 1.0 236

AWS Directory Service Administration Guide

Note

The AMI used must have AWS Systems Manager (SSM Agent) version 2.3.1644.0 or

higher. To check the installed SSM Agent version in your AMI by launching an instance

from that AMI, see Getting the currently installed SSM Agent version. If you need to

upgrade the SSM Agent, see Installing and conﬁguring SSM Agent on EC2 instances for

Linux.

SSM uses the aws:domainJoin plugin when joining a Linux instance to a Active

Directory domain. The plugin changes the hostname for the Linux instances to the

format EC2AMAZ-XXXXXXX. For more information about aws:domainJoin, see AWS

Systems Manager command document plugin reference in the AWS Systems Manager

User Guide.

7. In the Instance type section, choose the instance type you would like to use from Instance

type dropdown list.

8. In the Key pair (login) section, you can either choose to create a new key pair or choose from

an existing key pair. To create a new key pair, choose Create new key pair. Enter a name for

the key pair and select an option for the Key pair type and Private key ﬁle format. To save the

private key in a format that can be used with OpenSSH, choose .pem. To save the private key

in a format that can be used with PuTTY, choose .ppk. Choose create key pair. The private key

ﬁle is automatically downloaded by your browser. Save the private key ﬁle in a safe place.

Important

This is the only chance for you to save the private key ﬁle.

9. On the Launch an instance page, under Network settings section, choose Edit. Choose the

VPC that your directory was created in from the VPC - required dropdown list.

10. Choose one of the public subnets in your VPC from the Subnet dropdown list. The subnet you

choose must have all external traﬃc routed to an internet gateway. If this is not the case, you

won't be able to connect to the instance remotely.

For more information on how to connect to a internet gateway, see Connect to the internet

using an internet gateway in the Amazon VPC User Guide.

11. Under Auto-assign public IP, choose Enable.

Joining a Linux instance Version 1.0 237

AWS Directory Service Administration Guide

For more information about public and private IP addressing, see Amazon EC2 instance IP

addressing in the Amazon EC2 User Guide.

12. For Firewall (security groups) settings, you can use the default settings or make changes to

meet your needs.

13. For Conﬁgure storage settings, you can use the default settings or make changes to meet your

needs.

14. Select Advanced details section, choose your domain from the Domain join directory

dropdown list.

Note

After choosing the Domain join directory, you may see:

This error occurs if the EC2 launch wizard identiﬁes an existing SSM document with

unexpected properties. You can do one of the following:

• If you previously edited the SSM document and the properties are expected, choose

close and proceed to launch the EC2 instance with no changes.

• Select the delete the existing SSM document here link to delete the SSM document.

This will allow for the creation of an SSM document with the correct properties. The

SSM document will automatically be created when you launch the EC2 instance.

15. For IAM instance proﬁle, choose the IAM role that you previously created in the prerequisites

section Step 2: Create the LinuxEC2DomainJoin role.

16. Choose Launch instance.

Note

If you are performing a seamless domain join with SUSE Linux, a reboot is required before

authentications will work. To reboot SUSE from the Linux terminal, type sudo reboot.

Joining a Linux instance Version 1.0 238

AWS Directory Service Administration Guide

Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft

AD Active Directory

In addition to Amazon EC2 Windows instances, you can also join certain Amazon EC2 Linux

instances to your AWS Managed Microsoft AD Active Directory. The following Linux instance

distributions and versions are supported:

• Amazon Linux AMI 2018.03.0

• Amazon Linux 2 (64-bit x86)

• Amazon Linux 2023 AMI

• Red Hat Enterprise Linux 8 (HVM) (64-bit x86)

• Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS

• CentOS 7 x86-64

• SUSE Linux Enterprise Server 15 SP1

Note

Other Linux distributions and versions may work but have not been tested.

Join a Linux instance to your AWS Managed Microsoft AD

Before you can join either an Amazon Linux, CentOS, Red Hat, or Ubuntu instance to your directory,

the instance must ﬁrst be launched as speciﬁed in Seamlessly join your Linux instance.

Important

Some of the following procedures, if not performed correctly, can render your instance

unreachable or unusable. Therefore, we strongly suggest you make a backup or take a

snapshot of your instance before performing these procedures.

To join a Linux instance to your directory

Follow the steps for your speciﬁc Linux instance using one of the following tabs:

Joining a Linux instance Version 1.0 239

AWS Directory Service Administration Guide

Amazon Linux

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure your Amazon Linux - 64bit instance is up to date.

sudo yum -y update

4. Install the required Amazon Linux packages on your Linux instance.

Note

Some of these packages may already be installed.

As you install the packages, you might be presented with several pop-up

conﬁguration screens. You can generally leave the ﬁelds in these screens blank.

Amazon Linux

sudo yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli

krb5-workstation

Note

For help with determining the Amazon Linux version you are using, see Identifying

Amazon Linux images in the Amazon EC2 User Guide for Linux Instances.

5. Join the instance to the directory with the following command.

sudo realm join -U [email protected] example.com --verbose

Joining a Linux instance Version 1.0 240

AWS Directory Service Administration Guide

[email protected]

An account in the example.com domain that has domain join privileges. Enter the

password for the account when prompted. For more information about delegating these

privileges, see Delegating directory join privileges for AWS Managed Microsoft AD.

example.com

The fully qualiﬁed DNS name of your directory.

...

* Successfully enrolled machine in realm

6. Set the SSH service to allow password authentication.

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vi /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

7. After the instance has restarted, connect to it with any SSH client and add the AWS

Delegated Administrators group to the sudoers list by performing the following steps:

Open the sudoers ﬁle with the following command:

sudo visudo

Add the following to the bottom of the sudoers ﬁle and save it.

## Add the "AWS Delegated Administrators" group from the example.com domain.

Joining a Linux instance Version 1.0 241

AWS Directory Service Administration Guide

%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

(The above example uses "\<space>" to create the Linux space character.)

CentOS

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure your CentOS 7 instance is up to date.

sudo yum -y update

4. Install the required CentOS 7 packages on your Linux instance.

Note

Some of these packages may already be installed.

As you install the packages, you might be presented with several pop-up

conﬁguration screens. You can generally leave the ﬁelds in these screens blank.

sudo yum -y install sssd realmd krb5-workstation samba-common-tools

5. Join the instance to the directory with the following command.

sudo realm join -U [email protected] example.com --verbose

Joining a Linux instance Version 1.0 242

AWS Directory Service Administration Guide

[email protected]

An account in the example.com domain that has domain join privileges. Enter the

password for the account when prompted. For more information about delegating these

privileges, see Delegating directory join privileges for AWS Managed Microsoft AD.

example.com

The fully qualiﬁed DNS name of your directory.

...

* Successfully enrolled machine in realm

6. Set the SSH service to allow password authentication.

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vi /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

7. After the instance has restarted, connect to it with any SSH client and add the AWS

Delegated Administrators group to the sudoers list by performing the following steps:

Open the sudoers ﬁle with the following command:

sudo visudo

Add the following to the bottom of the sudoers ﬁle and save it.

## Add the "AWS Delegated Administrators" group from the example.com domain.

Joining a Linux instance Version 1.0 243

AWS Directory Service Administration Guide

%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

(The above example uses "\<space>" to create the Linux space character.)

Red Hat

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure the Red Hat - 64bit instance is up to date.

sudo yum -y update

4. Install the required Red Hat packages on your Linux instance.

Note

Some of these packages may already be installed.

As you install the packages, you might be presented with several pop-up

conﬁguration screens. You can generally leave the ﬁelds in these screens blank.

sudo yum -y install sssd realmd krb5-workstation samba-common-tools

5. Join the instance to the directory with the following command.

sudo realm join -v -U join_account example.com --install=/

Joining a Linux instance Version 1.0 244

AWS Directory Service Administration Guide

join_account

The sAMAccountName for an account in the example.com domain that has domain join

privileges. Enter the password for the account when prompted. For more information

about delegating these privileges, see Delegating directory join privileges for AWS

Managed Microsoft AD.

example.com

The fully qualiﬁed DNS name of your directory.

...

* Successfully enrolled machine in realm

6. Set the SSH service to allow password authentication.

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vi /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

7. After the instance has restarted, connect to it with any SSH client and add the AWS

Delegated Administrators group to the sudoers list by performing the following steps:

Open the sudoers ﬁle with the following command:

sudo visudo

Add the following to the bottom of the sudoers ﬁle and save it.

## Add the "AWS Delegated Administrators" group from the example.com domain.

Joining a Linux instance Version 1.0 245

AWS Directory Service Administration Guide

%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

(The above example uses "\<space>" to create the Linux space character.)

SUSE

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure your SUSE Linux 15 instance is up to date.

a. Connect the package repository.

sudo SUSEConnect -p PackageHub/15.1/x86_64

b. Update SUSE.

sudo zypper update -y

4. Install the required SUSE Linux 15 packages on your Linux instance.

Note

Some of these packages may already be installed.

As you install the packages, you might be presented with several pop-up

conﬁguration screens. You can generally leave the ﬁelds in these screens blank.

sudo zypper -n install realmd adcli sssd sssd-tools sssd-ad samba-client krb5-

client

5. Join the instance to the directory with the following command.

Joining a Linux instance Version 1.0 246

AWS Directory Service Administration Guide

sudo realm join -U join_account example.com --verbose

join_account

The sAMAccountName in the example.com domain that has domain join privileges. Enter

the password for the account when prompted. For more information about delegating

these privileges, see Delegating directory join privileges for AWS Managed Microsoft AD.

example.com

The fully-qualiﬁed DNS name of your directory.

…

realm: Couldn't join realm: Enabling SSSD in nsswitch.conf and PAM failed.

Note that both of the following returns are expected.

! Couldn't authenticate with keytab while discovering which salt to use:

! Enabling SSSD in nsswitch.conf and PAM failed.

6. Manually enable SSSD in PAM.

sudo pam-config --add --sss

7. Edit nsswitch.conf to enable SSSD in nsswitch.conf

sudo vi /etc/nsswitch.conf

passwd: compat sss

group: compat sss

shadow: compat sss

8. Add the following line to /etc/pam.d/common-session to auto create a home directory at

initial login

sudo vi /etc/pam.d/common-session

session optional pam_mkhomedir.so skel=/etc/skel umask=077

Joining a Linux instance Version 1.0 247

AWS Directory Service Administration Guide

9. Reboot the instance to complete the domain joined process.

sudo reboot

10.Reconnect to the instance using any SSH client to verify the domain join has completed

successfully and ﬁnalize additional steps.

a. To conﬁrm the instance has been enrolled on the domain

sudo realm list

example.com

type: kerberos

realm-name: EXAMPLE.COM

domain-name: example.com

configured: kerberos-member

server-software: active-directory

client-software: sssd

required-package: sssd-tools

required-package: sssd

required-package: adcli

required-package: samba-client

b. To verify the status of SSSD daemon

systemctl status sssd

sssd.service - System Security Services Daemon

Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor

preset: disabled)

Active: active (running) since Wed 2020-04-15 16:22:32 UTC; 3min 49s ago

Main PID: 479 (sssd)

Tasks: 4

CGroup: /system.slice/sssd.service

##479 /usr/sbin/sssd -i --logger=files

##505 /usr/lib/sssd/sssd_be --domain example.com --uid 0 --gid 0 --

logger=files

##548 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files

##549 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Joining a Linux instance Version 1.0 248

AWS Directory Service Administration Guide

11.To permit a user access via SSH and console

sudo realm permit [email protected]

To permit a domain group access via SSH and console

sudo realm permit -g 'AWS Delegated Administrators'

Or to permit all users access

sudo realm permit --all

12.Set the SSH service to allow password authentication.

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vi /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

13.13. After the instance has restarted, connect to it with any SSH client and add the AWS

Delegated Administrators group to the sudoers list by performing the following steps:

a. Open the sudoers ﬁle with the following command:

sudo visudo

b. Add the following to the bottom of the sudoers ﬁle and save it.

## Add the "Domain Admins" group from the awsad.com domain.

Joining a Linux instance Version 1.0 249

AWS Directory Service Administration Guide

%AWS\ Delegated\ [email protected] ALL=(ALL) NOPASSWD: ALL

Ubuntu

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure your Ubuntu - 64bit instance is up to date.

sudo apt-get update

sudo apt-get -y upgrade

4. Install the required Ubuntu packages on your Linux instance.

Note

Some of these packages may already be installed.

As you install the packages, you might be presented with several pop-up

conﬁguration screens. You can generally leave the ﬁelds in these screens blank.

sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli

5. Disable Reverse DNS resolution and set the default realm to your domain's FQDN. Ubuntu

Instances must be reverse-resolvable in DNS before the realm will work. Otherwise, you have

to disable reverse DNS in /etc/krb5.conf as follows:

sudo vi /etc/krb5.conf

[libdefaults]

default_realm = EXAMPLE.COM

rdns = false

Joining a Linux instance Version 1.0 250

AWS Directory Service Administration Guide

6. Join the instance to the directory with the following command.

sudo realm join -U join_account example.com --verbose

[email protected]

The sAMAccountName for an account in the example.com domain that has domain join

privileges. Enter the password for the account when prompted. For more information

about delegating these privileges, see Delegating directory join privileges for AWS

Managed Microsoft AD.

example.com

The fully qualiﬁed DNS name of your directory.

...

* Successfully enrolled machine in realm

7. Set the SSH service to allow password authentication.

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vi /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

8. After the instance has restarted, connect to it with any SSH client and add the AWS

Delegated Administrators group to the sudoers list by performing the following steps:

Open the sudoers ﬁle with the following command:

Joining a Linux instance Version 1.0 251

AWS Directory Service Administration Guide

sudo visudo

Add the following to the bottom of the sudoers ﬁle and save it.

## Add the "AWS Delegated Administrators" group from the example.com domain.

%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

(The above example uses "\<space>" to create the Linux space character.)

Restricting account login access

Since all accounts are deﬁned in Active Directory, by default, all the users in the directory can log in

to the instance. You can allow only speciﬁc users to log in to the instance with ad_access_ﬁlter in

sssd.conf. For example:

ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

memberOf

Indicates that users should only be allowed access to the instance if they are a member of a

speciﬁc group.

The common name of the group that should have access. In this example, the group name is

admins.

This is the organizational unit in which the above group is located. In this example, the OU is

Testou.

This is the domain component of your domain. In this example, example.

This is an additional domain component. In this example, com.

Joining a Linux instance Version 1.0 252

AWS Directory Service Administration Guide

You must manually add ad_access_ﬁlter to your /etc/sssd/sssd.conf.

Open the /etc/sssd/sssd.conf ﬁle in a text editor.

sudo vi /etc/sssd/sssd.conf

After you do this, your sssd.conf might look like this:

[sssd]

domains = example.com

config_file_version = 2

services = nss, pam

[domain/example.com]

ad_domain = example.com

krb5_realm = EXAMPLE.COM

realmd_tags = manages-system joined-with-samba

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

access_provider = ad

ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

In order for the conﬁguration to take eﬀect, you need to restart the sssd service:

sudo systemctl restart sssd.service

Alternatively, you could use:

sudo service sssd restart

Since all accounts are deﬁned in Active Directory, by default, all the users in the directory can log in

to the instance. You can allow only speciﬁc users to log in to the instance with ad_access_ﬁlter in

sssd.conf.

For example:

Joining a Linux instance Version 1.0 253

AWS Directory Service Administration Guide

ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

memberOf

Indicates that users should only be allowed access to the instance if they are a member of a

speciﬁc group.

The common name of the group that should have access. In this example, the group name is

admins.

This is the organizational unit in which the above group is located. In this example, the OU is

Testou.

This is the domain component of your domain. In this example, example.

This is an additional domain component. In this example, com.

You must manually add ad_access_ﬁlter to your /etc/sssd/sssd.conf.

1. Open the /etc/sssd/sssd.conf ﬁle in a text editor.

sudo vi /etc/sssd/sssd.conf

2. After you do this, your sssd.conf might look like this:

[sssd]

domains = example.com

config_file_version = 2

services = nss, pam

[domain/example.com]

ad_domain = example.com

krb5_realm = EXAMPLE.COM

realmd_tags = manages-system joined-with-samba

cache_credentials = True

id_provider = ad

Joining a Linux instance Version 1.0 254

AWS Directory Service Administration Guide

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

access_provider = ad

ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

3. In order for the conﬁguration to take eﬀect, you need to restart the sssd service:

sudo systemctl restart sssd.service

Alternatively, you could use:

sudo service sssd restart

ID Mapping

ID mapping can be performed by two methods to maintain a uniﬁed experience between UNIX/

Linux User Identiﬁer (UID) and Group Identiﬁer (GID) and Windows and Active Directory Security

Identiﬁer (SID) identities.

1. Centralized

2. Distributed

Note

Centralized user identity mapping in Active Directory requires Portable Operating System

Interface or POSIX.

Centralized user identity mapping

Active Directory or another Lightweight Directory Access Protocol (LDAP) service provides UID and

GID to the Linux users. In Active Directory, these identiﬁers are stored in the users' attributes:

• UID - The Linux username (String)

• UID Number - The Linux User ID number (Integer)

Joining a Linux instance Version 1.0 255

AWS Directory Service Administration Guide

• GID Number - The Linux Group ID number (Integer)

To conﬁgure a Linux instance to use the UID and GID from Active Directory, set ldap_id_mapping

= False in the sssd.conf ﬁle. Before setting this value, verify you have added a UID, UID number

and GID number to the users and groups in Active Directory.

Distributed user identity mapping

If Active Directory doesn't have the POSIX extension or if you choose not to centrally manage

identity mapping, Linux can calculate the UID and GID values. Linux uses the user's unique Security

Identiﬁer (SID) to maintain consistency.

To conﬁgure distributed user ID mapping, set ldap_id_mapping = True in the sssd.conf ﬁle.

Connect to the Linux instance

When a user connects to the instance using an SSH client, they are prompted for their username.

The user can enter the username in either the [email protected] or EXAMPLE\username

format. The response will appear similar to the following, depending on which Linux distribution

you are using:

Amazon Linux, Red Hat Enterprise Linux, and CentOS Linux

[email protected]'s password:

Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX

SUSE Linux

SUSE Linux Enterprise Server 15 SP1 x86_64 (64-bit)

As "root" (sudo or sudo -i) use the:

- zypper command for package management

- yast command for configuration management

Management and Config: https://www.suse.com/suse-in-the-cloud-basics

Documentation: https://www.suse.com/documentation/sles-15/

Forum: https://forums.suse.com/forumdisplay.php?93-SUSE-Public-Cloud

Have a lot of fun...

Joining a Linux instance Version 1.0 256

AWS Directory Service Administration Guide

Ubuntu Linux

[email protected]@10.24.34.0's password:

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1057-aws x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

System information as of Sat Apr 18 22:03:35 UTC 2020

System load: 0.01 Processes: 102

Usage of /: 18.6% of 7.69GB Users logged in: 2

Memory usage: 16% IP address for eth0: 10.24.34.1

Swap usage: 0%

Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft

AD Active Directory using Winbind

You can use the Winbind service to manually join your Amazon EC2 Linux instances to an AWS

Managed Microsoft AD Active Directory domain. This enables your existing on-premises Active

Directory users to use their Active Directory credentials when accessing the Linux instances joined

to your AWS Managed Microsoft AD Active Directory. The following Linux instance distributions and

versions are supported:

• Amazon Linux AMI 2018.03.0

• Amazon Linux 2 (64-bit x86)

• Amazon Linux 2023 AMI

• Red Hat Enterprise Linux 8 (HVM) (64-bit x86)

• Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS

• CentOS 7 x86-64

• SUSE Linux Enterprise Server 15 SP1

Note

Other Linux distributions and versions may work but have not been tested.

Joining a Linux instance Version 1.0 257

AWS Directory Service Administration Guide

Join a Linux instance to your AWS Managed Microsoft AD Active Directory

Important

Some of the following procedures, if not performed correctly, can render your instance

unreachable or unusable. Therefore, we strongly suggest you make a backup or take a

snapshot of your instance before performing these procedures.

To join a Linux instance to your directory

Follow the steps for your speciﬁc Linux instance using one of the following tabs:

Amazon Linux/CENTOS/REDHAT

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure your Linux instance is up to date.

sudo yum -y update

4. Install the required Samba / Winbind packages on your Linux instance.

sudo yum -y install authconfig samba samba-client samba-winbind samba-winbind-

clients

Make a backup of the main smb.conf ﬁle so you can revert back to it in case of any failure:

sudo cp /etc/samba/smb.conf /etc/samba/smb.bk

Open the original conﬁguration ﬁle [/etc/samba/smb.conf] in a text editor.

sudo vim /etc/samba/smb.conf

Joining a Linux instance Version 1.0 258

AWS Directory Service Administration Guide

Fill in your Active Directory domain environment information as shown in the below example:

[global]

workgroup = example

security = ads

realm = example.com

idmap config * : rangesize = 1000000

idmap config * : range = 1000000-19999999

idmap config * : backend = autorid

winbind enum users = no

winbind enum groups = no

template homedir = /home/%U@%D

template shell = /bin/bash

winbind use default domain = false

Open the hosts ﬁle [/etc/hosts] in a text editor.

sudo vim /etc/hosts

Add your Linux instance private IP address as follows:

10.x.x.x Linux_hostname.example.com Linux_hostname

Note

If you did not specify your IP Address in the /etc/hosts ﬁle, you might receive the

following DNS error while joining the instance to the domain.:

No DNS domain configured for linux-instance. Unable to perform

DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER

This error means that the join was successful but the [net ads] command was unable

to register the DNS record in DNS.

8. Join the Linux instance to Active Directory using the net utility.

sudo net ads join -U [email protected]

Joining a Linux instance Version 1.0 259

AWS Directory Service Administration Guide

[email protected]

An account in the example.com domain that has domain join privileges. Enter the

password for the account when prompted. For more information about delegating these

privileges, see Delegating directory join privileges for AWS Managed Microsoft AD.

example.com

The fully qualiﬁed DNS name of your directory.

Enter join_account@example.com's password:

Using short domain name -- example

Joined 'IP-10-x-x-x' to dns domain 'example.com'

9. Modify PAM Conﬁguration ﬁle, Use the command below to add the necessary entries for

winbind authentication:

sudo authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --update

10.

Set the SSH service to allow password authentication by editing the /etc/ssh/

sshd_config ﬁle..

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vi /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

11.After the instance has restarted, connect to it with any SSH client and add the root privileges

for a domain user or group to the sudoers list by performing the following steps:

Open the sudoers ﬁle with the following command:

Joining a Linux instance Version 1.0 260

AWS Directory Service Administration Guide

sudo visudo

b. Add the required groups or users from your Trusting or Trusted domain as follows, and

then save it.

## Adding Domain Users/Groups.

%domainname\\AWS\ Delegated\ Administrators ALL=(ALL:ALL) ALL

%domainname\\groupname ALL=(ALL:ALL) ALL

domainname\\username ALL=(ALL:ALL) ALL

%Trusted_DomainName\\groupname ALL=(ALL:ALL) ALL

Trusted_DomainName\\username ALL=(ALL:ALL) ALL

(The above example uses "\<space>" to create the Linux space character.)

SUSE

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure your SUSE Linux 15 instance is up to date.

a. Connect the package repository.

sudo SUSEConnect -p PackageHub/15.1/x86_64

b. Update SUSE.

sudo zypper update -y

4. Install the required Samba / Winbind packages on your Linux instance.

sudo zypper in -y samba samba-winbind

Make a backup of the main smb.conf ﬁle so you can revert back to it in case of any failure:

Joining a Linux instance Version 1.0 261

AWS Directory Service Administration Guide

sudo cp /etc/samba/smb.conf /etc/samba/smb.bk

Open the original conﬁguration ﬁle [/etc/samba/smb.conf] in a text editor.

sudo vim /etc/samba/smb.conf

Fill in your Active directory domain environment information as shown in the below example:

[global]

workgroup = example

security = ads

realm = example.com

idmap config * : rangesize = 1000000

idmap config * : range = 1000000-19999999

idmap config * : backend = autorid

winbind enum users = no

winbind enum groups = no

template homedir = /home/%U@%D

template shell = /bin/bash

winbind use default domain = false

Open the hosts ﬁle [/etc/hosts] in a text editor.

sudo vim /etc/hosts

Add your Linux instance private IP address as follows:

10.x.x.x Linux_hostname.example.com Linux_hostname

Note

If you did not specify your IP Address in the /etc/hosts ﬁle, you might receive the

following DNS error while joining the instance to the domain.:

No DNS domain configured for linux-instance. Unable to perform

DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER

This error means that the join was successful but the [net ads] command was unable

to register the DNS record in DNS.

Joining a Linux instance Version 1.0 262

AWS Directory Service Administration Guide

8. Join the Linux instance to the directory with the following command.

sudo net ads join -U [email protected]

join_account

The sAMAccountName in the example.com domain that has domain join privileges. Enter

the password for the account when prompted. For more information about delegating

these privileges, see Delegating directory join privileges for AWS Managed Microsoft AD.

example.com

The fully-qualiﬁed DNS name of your directory.

Enter [email protected]'s password:

Using short domain name -- example

Joined 'IP-10-x-x-x' to dns domain 'example.com'

9. Modify PAM Conﬁguration ﬁle, Use the command below to add the necessary entries for

Winbind authentication:

sudo pam-config --add --winbind --mkhomedir

10.

Open the Name Service Switch conﬁguration ﬁle [/etc/nsswitch.conf] in a text editor.

vim /etc/nsswitch.conf

Add the Winbind directive as shown below.

passwd: files winbind

shadow: files winbind

group: files winbind

11.

Set the SSH service to allow password authentication by editing the /etc/ssh/

sshd_config ﬁle..

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vim /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

Joining a Linux instance Version 1.0 263

AWS Directory Service Administration Guide

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

12.After the instance has restarted, connect to it with any SSH client and add root privileges for

a domain user or group, to the sudoers list by performing the following steps:

Open the sudoers ﬁle with the following command:

sudo visudo

b. Add the required groups or users from your Trusting or Trusted domain as follows, and

then save it.

## Adding Domain Users/Groups.

%domainname\\AWS\ Delegated\ Administrators ALL=(ALL:ALL) ALL

%domainname\\groupname ALL=(ALL:ALL) ALL

domainname\\username ALL=(ALL:ALL) ALL

%Trusted_DomainName\\groupname ALL=(ALL:ALL) ALL

Trusted_DomainName\\username ALL=(ALL:ALL) ALL

(The above example uses "\<space>" to create the Linux space character.)

Ubuntu

1. Connect to the instance using any SSH client.

2. Conﬁgure the Linux instance to use the DNS server IP addresses of the AWS Directory

Service-provided DNS servers. You can do this either by setting it up in the DHCP Options

set attached to the VPC or by setting it manually on the instance. If you want to set it

manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the

Joining a Linux instance Version 1.0 264

AWS Directory Service Administration Guide

AWS Knowledge Center for guidance on setting the persistent DNS server for your particular

Linux distribution and version.

3. Make sure your Linux instance is up to date.

sudo yum -y update

sudo apt-get -y upgrade

4. Install the required Samba / Winbind packages on your Linux instance.

sudo apt -y install samba winbind libnss-winbind libpam-winbind

Make a backup of the main smb.conf ﬁle so you can revert back to it in case of any failure.

sudo cp /etc/samba/smb.conf /etc/samba/smb.bk

Open the original conﬁguration ﬁle [/etc/samba/smb.conf] in a text editor.

sudo vim /etc/samba/smb.conf

Fill in your Active directory domain environment information as shown in the below example:

[global]

workgroup = example

security = ads

realm = example.com

idmap config * : rangesize = 1000000

idmap config * : range = 1000000-19999999

idmap config * : backend = autorid

winbind enum users = no

winbind enum groups = no

template homedir = /home/%U@%D

template shell = /bin/bash

winbind use default domain = false

Open the hosts ﬁle [/etc/hosts] in a text editor.

sudo vim /etc/hosts

Add your Linux instance private IP address as follows:

Joining a Linux instance Version 1.0 265

AWS Directory Service Administration Guide

10.x.x.x Linux_hostname.example.com Linux_hostname

Note

If you did not specify your IP Address in the /etc/hosts ﬁle, you might receive the

following DNS error while joining the instance to the domain.:

No DNS domain configured for linux-instance. Unable to perform

DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER

This error means that the join was successful but the [net ads] command was unable

to register the DNS record in DNS.

8. Join the Linux instance to Active Directory using the net utility.

sudo net ads join -U [email protected]

[email protected]

An account in the example.com domain that has domain join privileges. Enter the

password for the account when prompted. For more information about delegating these

privileges, see Delegating directory join privileges for AWS Managed Microsoft AD.

example.com

The fully qualiﬁed DNS name of your directory.

Enter join_account@example.com's password:

Using short domain name -- example

Joined 'IP-10-x-x-x' to dns domain 'example.com'

9. Modify PAM Conﬁguration ﬁle, Use the command below to add the necessary entries for

Winbind authentication:

sudo pam-auth-update --add --winbind --enable mkhomedir

10.

Open the Name Service Switch conﬁguration ﬁle [/etc/nsswitch.conf] in a text editor.

vim /etc/nsswitch.conf

Joining a Linux instance Version 1.0 266

AWS Directory Service Administration Guide

Add the Winbind directive as shown below.

passwd: compat winbind

group: compat winbind

shadow: compat winbind

11.

Set the SSH service to allow password authentication by editing the /etc/ssh/

sshd_config ﬁle..

Open the /etc/ssh/sshd_config ﬁle in a text editor.

sudo vim /etc/ssh/sshd_config

Set the PasswordAuthentication setting to yes.

PasswordAuthentication yes

c. Restart the SSH service.

sudo systemctl restart sshd.service

Alternatively:

sudo service sshd restart

12.After the instance has restarted, connect to it with any SSH client and add root privileges for

a domain user or group, to the sudoers list by performing the following steps:

Open the sudoers ﬁle with the following command:

sudo visudo

b. Add the required groups or users from your Trusting or Trusted domain as follows, and

then save it.

## Adding Domain Users/Groups.

%domainname\\AWS\ Delegated\ Administrators ALL=(ALL:ALL) ALL

%domainname\\groupname ALL=(ALL:ALL) ALL

domainname\\username ALL=(ALL:ALL) ALL

%Trusted_DomainName\\groupname ALL=(ALL:ALL) ALL

Trusted_DomainName\\username ALL=(ALL:ALL) ALL

Joining a Linux instance Version 1.0 267

AWS Directory Service Administration Guide

(The above example uses "\<space>" to create the Linux space character.)

Connect to the Linux instance

When a user connects to the instance using an SSH client, they are prompted for their username.

The user can enter the username in either the [email protected] or EXAMPLE\username

format. The response will appear similar to the following, depending on which Linux distribution

you are using:

Amazon Linux, Red Hat Enterprise Linux, and CentOS Linux

[email protected]'s password:

Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX

SUSE Linux

SUSE Linux Enterprise Server 15 SP1 x86_64 (64-bit)

As "root" (sudo or sudo -i) use the:

- zypper command for package management

- yast command for configuration management

Management and Config: https://www.suse.com/suse-in-the-cloud-basics

Documentation: https://www.suse.com/documentation/sles-15/

Forum: https://forums.suse.com/forumdisplay.php?93-SUSE-Public-Cloud

Have a lot of fun...

Ubuntu Linux

[email protected]@10.24.34.0's password:

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1057-aws x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

System information as of Sat Apr 18 22:03:35 UTC 2020

Joining a Linux instance Version 1.0 268

AWS Directory Service Administration Guide

System load: 0.01 Processes: 102

Usage of /: 18.6% of 7.69GB Users logged in: 2

Memory usage: 16% IP address for eth0: 10.24.34.1

Swap usage: 0%

Joining an Amazon EC2 Mac instance to your AWS Managed Microsoft

AD Active Directory

This procedure manually joins an Amazon EC2 Mac instance to your AWS Managed Microsoft AD

Active Directory.

Prerequisites

• Amazon EC2 Mac instances require Amazon EC2 Dedicated Hosts. You must allocate a dedicated

host and launch an instance onto the host. For more information, see Launch a Mac instance in

Amazon EC2 User Guide.

• We recommend creating a DHCP option set for your AWS Managed Microsoft AD Active

Directory. This will allow any instances in your Amazon VPC to point to the speciﬁed domain and

DNS servers to resolve their domain names. See Creating or changing a DHCP options set for

AWS Managed Microsoft AD for more information.

Note

Dedicated Host pricing varies by the payment option that you select. For more information,

see Pricing and Billing in Amazon EC2 User Guide.

Manually joining a Mac instance

1. Use the following SSH command to connect to your Mac instance. For more information about

connecting to your Mac instance, see Connect to your Mac instance.

ssh -i /path/key-pair-name.pem ec2-user@my-instance-public-dns-name

After you connect to your Mac instance, create a password for the ec2-user account using the

following command:

sudo passwd ec2-user

Joining a Mac instance Version 1.0 269

AWS Directory Service Administration Guide

When prompted at the command line, provide a password for the ec2-user account. You

can update your operating system and software by following the procedure in Update the

operating system and software in Amazon EC2 User Guide.

Use the following dsconfigad command to join your Mac instance to the AWS Managed

Microsoft AD Active Directory domain. Make sure to replace the domain name, computer

name, and organizational unit with your AWS Managed Microsoft AD Active Directory domain

information. For more information, see Conﬁguring domain access in Directory Utility on Mac

on Apple website.

Warning

The computer name shouldn't contain a hyphen. Hyphens might prevent the bind to

the AWS Managed Microsoft AD Active Directory.

sudo dsconfigad -add domainName -computer computerName -username Username -

ou "Your-AWS-Delegated-Organizational-Unit"

The following example is what the command should look like when joining an administrative

user on a Mac instance named myec2mac01 to the example.com domain:

sudo dsconfigad -add example.com -computer myec2mac01 -username admin -

ou "OU=Computers,OU=Example,DC=Example,DC=com"

5. Use the following command to add the AWS Delegated Administrators to the administrative

user on your Mac instance:

sudo dsconfigad -group "EXAMPLE\aws delegated administrators

6. Use the following command to conﬁrm the AWS Managed Microsoft AD Active Directory

domain join was successful:

dsconfigad -show

You have successfully joined your Mac instance to your AWS Managed Microsoft AD Active

Directory. You can now log in to your Mac instance using your AWS Managed Microsoft AD Active

Directory credentials.

Joining a Mac instance Version 1.0 270

AWS Directory Service Administration Guide

When you ﬁrst log in to your Mac instance, you should be provided with an option to log in as the

"Other" user. At this point, you can use your Active Directory domain credentials to log in to the

Mac instance. If you're not provided with "Other" on the log in screen after completing these steps,

To log in using the graphical user interface with a domain user, follow the steps in Connect to your

instance's graphical user interface (GUI) in Amazon EC2 User Guide.

Delegating directory join privileges for AWS Managed Microsoft AD

To join a computer to your AWS Managed Microsoft AD, you need an account that has privileges to

join computers to the directory.

With AWS Directory Service for Microsoft Active Directory, members of the Admins and AWS

Delegated Server Administrators groups have these privileges.

However, as a best practice, you should use an account that has only the minimum privileges

necessary. The following procedure demonstrates how to create a new group called Joiners and

delegate the privileges to this group that are needed to join computers to the directory.

You must perform this procedure on a computer that is joined to your directory and has the Active

Directory User and Computers MMC snap-in installed. You must also be logged in as a domain

administrator.

To delegate join privileges for AWS Managed Microsoft AD

1. Open Active Directory User and Computers and select the organizational unit (OU) that has

your NetBIOS name in the navigation tree, then select the Users OU.

Important

When you launch a AWS Directory Service for Microsoft Active Directory, AWS creates

an organizational unit (OU) that contains all your directory’s objects. This OU, which

has the NetBIOS name that you typed when you created your directory, is located in

the domain root. The domain root is owned and managed by AWS. You cannot make

changes to the domain root itself, therefore, you must create the Joiners group

within the OU that has your NetBIOS name.

2. Open the context menu (right-click) for Users, choose New, and then choose Group.

Delegating directory join privileges Version 1.0 271

AWS Directory Service Administration Guide

3. In the New Object - Group box, type the following and choose OK.

•

For Group name, type Joiners.

• For Group scope, choose Global.

• For Group type, choose Security.

4. In the navigation tree, select the Computers container under your NetBIOS name. From the

Action menu, choose Delegate Control.

5. On the Delegation of Control Wizard page, choose Next, and then choose Add.

In the Select Users, Computers, or Groups box, type Joiners and choose OK. If more than

one object is found, select the Joiners group created above. Choose Next.

7. On the Tasks to Delegate page, select Create a custom task to delegate, and then choose

Next.

8. Select Only the following objects in the folder, and then select Computer objects.

9. Select Create selected objects in this folder and Delete selected objects in this folder. Then

choose Next.

10. Select Read and Write, and then choose Next.

Delegating directory join privileges Version 1.0 272

AWS Directory Service Administration Guide

11. Verify the information on the Completing the Delegation of Control Wizard page and choose

Finish.

12.

Create a user with a strong password and add that user to the Joiners group. This user must

be in the Users container that is under your NetBIOS name. The user will then have suﬃcient

privileges to connect instances to the directory.

Creating or changing a DHCP options set for AWS Managed Microsoft

AWS recommends that you create a DHCP options set for your AWS Directory Service directory and

assign the DHCP options set to the VPC that your directory is in. This allows any instances in that

VPC to point to the speciﬁed domain and DNS servers to resolve their domain names.

For more information about DHCP options sets, see DHCP options sets in the Amazon VPC User

Guide.

To create a DHCP options set for your directory

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

Creating or changing a DHCP options set Version 1.0 273

AWS Directory Service Administration Guide

2. In the navigation pane, choose DHCP Options Sets, and then choose Create DHCP options set.

3. On the Create DHCP options set page, enter the following values for your directory:

Name

An optional tag for the options set.

Domain name

The fully qualiﬁed name of your directory, such as corp.example.com.

Domain name servers

The IP addresses of your AWS-provided directory's DNS servers.

Note

You can ﬁnd these addresses by going to the AWS Directory Service console

navigation pane, selecting Directories and then choosing the correct directory ID.

NTP servers

Leave this ﬁeld blank.

NetBIOS name servers

Leave this ﬁeld blank.

NetBIOS node type

Leave this ﬁeld blank.

4. Choose Create DHCP options set. The new set of DHCP options appears in your list of DHCP

options.

Make a note of the ID of the new set of DHCP options (dopt-xxxxxxxx). You use it to associate

the new options set with your VPC.

To change the DHCP options set associated with a VPC

After you create a set of DHCP options, you can't modify them. If you want your VPC to use a

diﬀerent set of DHCP options, you must create a new set and associate them with your VPC. You

can also set up your VPC to use no DHCP options at all.

Creating or changing a DHCP options set Version 1.0 274

AWS Directory Service Administration Guide

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Your VPCs.

3. Select the VPC, and then choose Actions, Edit VPC settings.

4. For DHCP options set, select an options set or choose No DHCP options set, and then choose

Save.

To change the DHCP options set associated with a VPC using command line see the following:

• AWS CLI: associate-dhcp-options

• AWS Tools for Windows PowerShell: Register-EC2DhcpOption

User and group management in AWS Managed Microsoft AD

You can manage users and groups in AWS Managed Microsoft AD. You create a user to represent

a person or entity that can access your directory. You can also create a group to grant and deny

permissions to more than one user at a time. You can add not only users to a group, but also

groups to a group. When you add a user to a group, the user inherits the roles and permissions

assigned to the group. When you add a group to a group, the groups share a parent-child

relationship, where the child group inherits the roles and permissions assigned to the parent group.

You can also copy a user's group memberships into another user.

You can manage users and groups with the section called “Directory Service Data” using the

following methods:

• AWS Management Console

• AWS CLI

• AWS Directory Service Data API

For a demonstration of the AWS Directory Service Data CLI, see the following YouTube video.

Manage users and groups in AWS Managed Microsoft AD using CRUD APIs

Alternatively, you can use a domain-joined instance.

User and group management Version 1.0 275

AWS Directory Service Administration Guide

Manage users and groups with the AWS Management Console

You can manage users and groups with the AWS Management Console with AWS Directory Service

Data. Directory Service Data is an extension of AWS Directory Service that provides you with the

ability to perform built-in object management tasks. Some of these tasks include creating users

and groups and adding users to groups as well as groups to a group.

For more information, see Manage AWS Managed Microsoft AD users and groups with the AWS

Management Console.

Note

To use this feature, it must be enabled. For more information, see Enable user and group

management.

You can only manage users and groups with the AWS Management Console from the

Primary AWS Region. For more information, see Primary vs additional Regions.

Manage users and groups with the AWS CLI

You can manage users and groups with the AWS CLI through the AWS Directory Service Data API.

Directory Service Data is an extension of AWS Directory Service that provides you with the ability

to perform built-in object management tasks using the ds-data namespace. Some of these tasks

include creating users and groups and adding users to groups as well as groups to a group.

Create a user with AWS Directory Service Data CLI

The following is an example AWS CLI command that uses the ds-data namespace to create a user.

aws ds-data create-user --directory-id d-1234567890 --sam-account-name "jane.doe" --

region your-Primary-Region-name

Note

To use this AWS CLI, it must be enabled. For more information, see Enabling or disabling

user and group management or AWS Directory Service Data.

You can only manage users and groups with the AWS Directory Service Data CLI from the

primary AWS Region. For more information, see Primary vs additional Regions.

AWS Management Console Version 1.0 276

AWS Directory Service Administration Guide

For more information, see Manage AWS Managed Microsoft AD users and groups with the AWS CLI.

Manage users and groups with an on-premise instance or Amazon EC2

instance

If the AWS Directory Service Data doesn't support your use case, we recommend managing users

and groups with an on-premise or EC2 instance.

To create users and groups in an AWS Managed Microsoft AD, you can use any instance (from

either on-premises or EC2) that has been joined to your AWS Managed Microsoft AD. You need to

be logged in as a user that has privileges to create users and groups. You will also need to install

the Active Directory Tools on your instance so you can add your users and groups with the Active

Directory Users and Computers tool.

• You can deploy a pre-conﬁgured EC2 instance with preinstalled Active Directory administrative

tools from AWS Directory Service management console. For more information, see Launching a

directory administration instance in your AWS Managed Microsoft AD Active Directory.

• If you need to deploy a self-managed EC2 instance with administrative tools and install the

necessary tools, see Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed

Microsoft AD Active Directory.

Topics

• Manage AWS Managed Microsoft AD users and groups with the AWS Management Console or

AWS CLI

• Manage users and groups with an Amazon EC2 instance

Manage AWS Managed Microsoft AD users and groups with the AWS

Management Console or AWS CLI

You can use the AWS Management Console or AWS CLI to manage your AWS Managed Microsoft

AD users and groups with AWS Directory Service Data. The AWS Directory Service Data CLI uses the

ds-data namespace. For more information on the AWS CLI, see Getting started with AWS CLI.

See the following procedures for more information on creating, viewing, updating, and deleting

AWS Managed Microsoft AD users and groups.

User and group management procedures

On-premises or Amazon EC2 instance Version 1.0 277

AWS Directory Service Administration Guide

• Enabling or disabling user and group management or AWS Directory Service Data

• Creating an AWS Managed Microsoft AD user

• Viewing and updating an AWS Managed Microsoft AD user

• Deleting an AWS Managed Microsoft AD user

• Disabling an AWS Managed Microsoft AD user

• Resetting and enabling an AWS Managed Microsoft AD user's password

• Creating an AWS Managed Microsoft AD group

• Viewing and updating an AWS Managed Microsoft AD group's details

• Deleting an AWS Managed Microsoft AD group

• Adding and removing AWS Managed Microsoft AD members to groups and groups to groups

• Copying an AWS Managed Microsoft AD group memberships in the AWS Management Console

Enabling or disabling user and group management or AWS Directory Service Data

To use user and group management or AWS Directory Service Data, it must be enabled. Once

enabled, you can manage users and groups from the AWS Management Console or AWS CLI.

Important

• You can only enable this feature from the Primary AWS Region. For more information,

see Primary vs additional Regions.

• Access controls for AWS Directory Service Data are diﬀerent than access controls for AWS

services like Amazon WorkSpaces, Amazon QuickSight, and Amazon WorkMail. For more

information, see AWS application authorization with Directory Service Data.

Enabling AWS Directory Service Data

Use the following procedure to enable user and group management or AWS Directory Service Data

for an existing AWS Managed Microsoft AD with either the AWS Management Console or AWS CLI.

AWS Management Console

You can enable user and group management with the AWS Management Console.

Manage users and group with the console or CLI Version 1.0 278

AWS Directory Service Administration Guide

To enable user and group management

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. On the Directory details page, to enable user and group management, select Enable.

3. In the Enable user and group management dialog box, select Enable.

AWS CLI

The following describes how to format a request that enables the AWS Directory Service Data

CLI. You must include your Directory ID number in your request.

Note

The enable AWS Directory Service Data CLI commands use aws ds.

To enable AWS Directory Service Data CLI

• Open the AWS CLI, and run the following command, replacing the Directory ID with your

AWS Managed Microsoft AD Directory ID:

aws ds enable-directory-data-access --directory-id d-1234567890

Disabling AWS Directory Service Data

Use the following procedure to disable user and group management or AWS Directory Service Data

for an existing AWS Managed Microsoft AD with either the AWS Management Console or AWS CLI.

AWS Management Console

You can disable user and group management with the AWS Management Console.

To disable user and group management

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. On the Directory details page, to disable user and group management, select Disable.

Manage users and group with the console or CLI Version 1.0 279

AWS Directory Service Administration Guide

3. In the Disable user and group management dialog box, select Disable.

AWS CLI

The following describes how to format a request that disables the AWS Directory Service Data

CLI. You must include your Directory ID number in your request.

Note

The disable AWS Directory Service Data CLI commands use aws ds.

To disable AWS Directory Service Data CLI

• Open the AWS CLI, and run the following command, replacing the Directory ID with your

AWS Managed Microsoft AD Directory ID:

aws ds disable-directory-data-access --directory-id d-1234567890

Creating an AWS Managed Microsoft AD user

Use the following procedure to create a new AWS Managed Microsoft AD user with user and group

management or AWS Directory Service Data in either the AWS Management Console or AWS CLI.

Before you begin either procedure, you need to complete the following:

• By default, Kerberos preauthentication is enabled for all new user accounts. This setting

shouldn't be modiﬁed. For more information, see Preauthentication on the Microsoft website.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

AWS Management Console

You can create a new AWS Managed Microsoft AD user account in the AWS Management

Console. When you create a new user account, you specify the new user's details and determine

Manage users and group with the console or CLI Version 1.0 280

AWS Directory Service Administration Guide

whether to add the new user to a group or copy another user's group memberships into the

new user.

For more information, see AWS Directory Service Data attributes and Group type and group

scope.

To create an AWS Managed Microsoft AD user with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. On the Directory details page, under the Users section, choose Create users account.

5. The Specify user details page opens. Under the Required information section, enter a user

logon name and password. User logon names must meet the following conditions:

• Must be a unique logon name

• Can be up to 20 characters long

• Can only contain alphanumeric characters

•

Cannot contain any of the following characters: / [ ] : ; | , + * ? < > @

• The password must adhere to your password policy requirements. Check with your AWS

administrator for more information.

Warning

The user logon name cannot be changed after the user is created.

a. (Optional) Under the Primary information section, you can enter a ﬁrst and last name

for the user. You can also enter a display name and description for the user.

b. (Optional) Under the Contact methods section, you can enter an email address and

telephone numbers for the user.

c. (Optional) Under the Job-related information section, you can enter a department,

manager, oﬃce, and company for the user.

Manage users and group with the console or CLI Version 1.0 281

AWS Directory Service Administration Guide

d. (Optional) Under the Address section, you can enter an address for the user.

e. (Optional) Under the Account settings section, you can enter notes, a preferred

language, and service principal name for the user.

For more information on user attributes, see AWS Directory Service Data attributes and

Microsoft documentation.

6. Choose Next once you've provided the user account details.

7. On the Add users to groups - optional page, you can add the user to a new group or to

an existing group. You can also copy the group membership of an existing user to the new

user. If you don't want to add a user to a group, choose Next. Move to Step 12 to continue

this procedure.

8. (Optional) To create a new group, see Create a AWS Managed Microsoft AD group.

9. (Optional) To add a new user to an existing group:

• Select the group you want to add the new user to in the Groups section. To ﬁnd

groups, enter the group name in the search box.

10. (Optional) To copy the group membership of an existing user to a new user:

a. Choose the Copy group membership from user tab. To ﬁnd a user with a group

membership you want to copy, enter the user logon name in the search box under the

Users section.

b. In the Selected groups section, select the groups the new user should become a

member of.

11. Choose Next when you're ready to create the new user account.

12. On the Review and create user page, review all the choices you made. Choose Create user.

13. After the user is conﬁgured, you've taken to the new user's details page. A banner appears

stating the user was successfully created.

Important

If you receive an error message telling you that you don't have permission to create a

user, follow the instructions in the error message to request that your administrator

grant you access.

Manage users and group with the console or CLI Version 1.0 282

AWS Directory Service Administration Guide

AWS CLI

The following describes how to format a request that creates a new AWS Managed Microsoft

AD user account with the AWS Directory Service Data CLI. You must include your directory ID

number and a user logon name in your request. You can also include other attributes, such as a

user display name with the DisplayName attribute. For more information, see AWS Directory

Service Data attributes and Group type and group scope.

To create an AWS Managed Microsoft AD user with AWS CLI

• Open the AWS CLI, and run the following command, replacing the Directory ID, username,

and display name with your AWS Managed Microsoft AD Directory ID and desired

credentials:

aws ds-data create-user --directory-id d-1234567890 --sam-account-name "jane.doe" --

other-attributes '{ "DisplayName ": { "S": "jane.doe"} }'

Viewing and updating an AWS Managed Microsoft AD user

Use the following procedure to view or update an AWS Managed Microsoft AD user's details with

user and group management or AWS Directory Service Data in either the AWS Management

Console or AWS CLI.

Viewing an AWS Managed Microsoft AD user's details

You can view a user's details in the AWS Management Console or AWS CLI. The user's details

includes proﬁle and account information and group membership.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Creating an AWS Managed Microsoft AD user.

Manage users and group with the console or CLI Version 1.0 283

AWS Directory Service Administration Guide

AWS Management Console

You can view an AWS Managed Microsoft AD user's details in the AWS Management Console.

To view an AWS Managed Microsoft AD user's details and account details with the AWS

Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Users. The tab shows a list of users in your directory.

5. Select a user. You’re directed to the User details screen. The User details screen shows the

following information:

• Groups the user is a member of (group memberships)

• Proﬁle details (such as primary information like user logon name, ﬁrst name, last name,

etc.)

• Account settings (such as account information like user principal name, service principal

name, distinguished name, etc.)

• Account status

For more information on user attributes, see AWS Directory Service Data attributes and

Microsoft documentation.

AWS CLI

With the AWS CLI, you can view a user's details, which includes proﬁle and account information

and group memberships.

To view an AWS Managed Microsoft AD user's proﬁle and account details with the AWS CLI

The following describes how to view an AWS Managed Microsoft AD user's details with the AWS

Directory Service Data CLI.

Manage users and group with the console or CLI Version 1.0 284

AWS Directory Service Administration Guide

• To view a user's details, open the AWS CLI, and run the following command, replacing

the Directory ID and username with your AWS Managed Microsoft AD Directory ID and

username:

aws ds-data describe-user --directory-id d-1234567890 --sam-account-name "jane.doe"

To view a user's group memberships

The following describes how to view an AWS Managed Microsoft AD user's group membership

with the AWS Directory Service Data CLI.

• To view a user's group memberships, open the AWS CLI, and run the following command,

replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID

and username:

aws ds-data list-groups-for-member --directory-id d-1234567890 --sam-account-name

"jane.doe"

For more information on user attributes, see AWS Directory Service Data attributes and

Microsoft documentation.

Updating an AWS Managed Microsoft AD user's details

Use the following procedure to update an AWS Managed Microsoft AD user with user and group

management or AWS Directory Service Data in either the AWS Management Console or AWS CLI.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Creating an AWS Managed Microsoft AD user.

Manage users and group with the console or CLI Version 1.0 285

AWS Directory Service Administration Guide

AWS Management Console

You can update an AWS Managed Microsoft AD user's details in the AWS Management Console.

To update an AWS Managed Microsoft AD user's details with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Users. The tab shows a list of users in your directory.

5. Select a user. To ﬁnd a user, enter the user logon name in the search box under the Users

section. You’re directed to the User details screen.

6. To edit groups the user is a member of, choose Groups. From this tab, you can add and

remove the user from groups. For more information, see Add an AWS Managed Microsoft

AD member to a group.

7. To edit the user's proﬁle details, choose Proﬁle, and then choose Edit. Or choose Actions,

and then choose Edit user. Make and review your updates, and then choose Save.

Warning

The user logon name cannot be changed after the user is created.

8. To edit the user's account settings, choose User account settings. Or choose Actions, and

then choose Edit user. Make and review your updates, and then choose Save.

For more information on user attributes, see AWS Directory Service Data attributes and

Microsoft documentation.

AWS CLI

The following describes how to format a request that updates an AWS Managed Microsoft AD

user's details with AWS Directory Service Data CLI.

When you update a user's account, you must include your directory ID number and user logon

name. You also must include the update type and attribute you want to update in your request,

Manage users and group with the console or CLI Version 1.0 286

AWS Directory Service Administration Guide

such as a user last name with the Surname parameter. For more information, see AWS Directory

Service Data attributes.

• To update a user's details, open the AWS CLI, and run the following command, replacing

the Directory ID, username, user type, and attribute value with your AWS Managed

Microsoft AD Directory ID, username, and desired user type and attribute value:

aws ds-data update-user --directory-id d-1234567890 --sam-account-name "jane.doe" --

update-type "your-update-type" --surname "your-attribute-value"

For more information on user attributes, see AWS Directory Service Data attributes and

Microsoft documentation.

Deleting an AWS Managed Microsoft AD user

Use the following procedure to delete an AWS Managed Microsoft AD user with user and group

management or AWS Directory Service Data in either the AWS Management Console or AWS CLI.

Important

When you delete a user's account from a directory, all information about the user is

removed, including any permissions the user has to access their account and applications.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Creating an AWS Managed Microsoft AD user.

AWS Management Console

You can delete an AWS Managed Microsoft AD user account in the AWS Management Console.

Manage users and group with the console or CLI Version 1.0 287

AWS Directory Service Administration Guide

To delete an AWS Managed Microsoft AD user account with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Users. The tab shows a list of users in your directory.

5. Choose the user whose account you want to delete. To ﬁnd a user, enter the user logon

name in the search box under the Users section. You're directed to the User details screen.

6. Choose Actions. Then choose Delete user account and Delete user account again.

AWS CLI

The following describes how to format a request that deletes an AWS Managed Microsoft AD

user's account with the AWS Directory Service Data CLI.

To delete an AWS Managed Microsoft AD user account with AWS CLI

• Open the AWS CLI, and run the following command, replacing the Directory ID and

username with your AWS Managed Microsoft AD Directory ID and username:

aws ds-data delete-user --directory-id d-1234567890 --sam-account-name "jane.doe"

Disabling an AWS Managed Microsoft AD user

Use the following procedure to disable an AWS Managed Microsoft AD user with user and group

management or AWS Directory Service Data in either the AWS Management Console or AWS CLI.

Important

When you disable a user's account, the user loses any permissions to access their account

and applications.

Manage users and group with the console or CLI Version 1.0 288

AWS Directory Service Administration Guide

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Creating an AWS Managed Microsoft AD user.

AWS Management Console

You can disable an AWS Managed Microsoft AD user account in the AWS Management Console.

To disable an AWS Managed Microsoft AD user account with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Users. The tab shows a list of users in your directory.

5. Choose the user whose account you want to disable. You're directed to the User details

screen.

6. Choose Actions. Then choose Disable user account and Disable user account again.

Note

To re-enable your user's account, you must reset the user's password. For more

information, see Resetting and enabling an AWS Managed Microsoft AD user's

password.

Manage users and group with the console or CLI Version 1.0 289

AWS Directory Service Administration Guide

AWS CLI

The following describes how to format a request that disables an AWS Managed Microsoft AD

user account with the AWS Directory Service Data CLI.

To disable an AWS Managed Microsoft AD user account with the AWS CLI

• Open the AWS CLI, and run the following command, replacing the Directory ID and

username with your AWS Managed Microsoft AD Directory ID and username:

aws ds-data disable-user --directory-id 1234567890 --sam-account-name "jane.doe"

Note

To re-enable your user account, you must reset the user's password. For more

information, see Resetting and enabling an AWS Managed Microsoft AD user's

password.

Resetting and enabling an AWS Managed Microsoft AD user's password

Use the following procedure to reset an AWS Managed Microsoft AD user's password to enable

their account with user and group management or AWS Directory Service Data in either the AWS

Management Console or AWS CLI.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Creating an AWS Managed Microsoft AD user.

Manage users and group with the console or CLI Version 1.0 290

AWS Directory Service Administration Guide

AWS Management Console

You can reset an AWS Managed Microsoft AD user's password to enable their account in the

AWS Management Console. You can perform this task from either the Directories screen or

Directory details screen.

Directories

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose Actions, and then choose Reset user password and enable account.

a. Under User logon name, enter the user logon name for the user whose password you

want to reset.

b. Under New password, enter the user's new password.

c. Under Conﬁrm password, enter user's new password again.

4. After you conﬁrm the user's new password, choose Reset password and enable account.

Directory details

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Users. The tab shows a list of users in your directory.

5. Select the user whose password you want to reset.

6. Choose Actions, and then choose Reset user password and enable account.

a. Under New password, enter the user's new password.

b. Under Conﬁrm password, enter user's new password again.

7. After you conﬁrm the user's new password, choose Reset password and enable account.

Manage users and group with the console or CLI Version 1.0 291

AWS Directory Service Administration Guide

AWS CLI

You can reset an AWS Managed Microsoft AD use's password to enable their account with the

AWS Directory Service Data CLI.

Note

The reset user's password command uses aws ds.

To reset an AWS Managed Microsoft AD user's password with the AWS CLI

• To reset a user's password, open the AWS CLI, and run the following command, replacing

the Directory ID, username, and password with your AWS Managed Microsoft AD Directory

ID, username, and desired credentials:

aws ds reset-user-password --directory-id d-1234567890 --user-name jane.doe --new-

password your-password

Creating an AWS Managed Microsoft AD group

Use the following procedure to create an AWS Managed Microsoft AD group with user and group

management or AWS Directory Service Data in either the AWS Management Console or AWS CLI.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

AWS Management Console

You can create a new AWS Managed Microsoft AD group in the AWS Management Console.

When you create a new group, you specify the group's details and determine the group's type

Manage users and group with the console or CLI Version 1.0 292

AWS Directory Service Administration Guide

and scope. You also have the option to add users and child groups to your new group or add

your new group to a parent group.

To create an AWS Managed Microsoft AD group with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Group. The tab shows a list of groups in your AWS Region.

5. Choose Create group. You're directed to a procedure where you ﬁnish creating your new

group.

6. The Specify group details page opens. Enter a Group name. Group names must meet the

following conditions:

• Must be unique group name

• Can be up to 64 characters long

• Can only contain alphanumeric characters

•

Cannot contain any of the following characters: / [ ] : ; | , + * ? < > @

Warning

The group name cannot be changed after the group is created.

7. Choose the Group type from one of the following:

• Security

• Distribution

• To learn more, see the section called “Group type”.

8. Choose the Group scope from one of the following:

• Domain local

• Universal

Manage users and group with the console or CLI Version 1.0 293

AWS Directory Service Administration Guide

• Global

• You can turn on Compare scopes to display a chart of the similarities and diﬀerences

between group scopes. To learn more, see the section called “Group scope”.

9. After providing the primary information and contact methods, choose Next.

10. The Add users to group - Optional page opens and you can add users to the new group.

To ﬁnd a user to add to the group, enter the user logon name in the search box under the

Users section. Select the users you want to add to the group and choose Next.

11. The Add child groups - Optional page opens and you can add existing groups to the new

group. The existing groups becomes child groups of the newly created group. When you

add a child group to your group, your group becomes the parent group, and the child group

inherits all of your group's roles and permissions. To ﬁnd groups to add, enter the group

name in the search box under the Add child groups section. Select the children groups you

want to add to the new group and choose Next.

12. The Add parent groups - Optional page opens and you can add the new group to existing

groups. The new group becomes the parent group of the existing groups. When you add

your group to a parent group, your group becomes the child group and inherits all of the

parent group's roles and permissions. To ﬁnd groups to add, enter the group name in the

search box under the Add parent groups section. Select the parent groups you want to add

to the new group and choose Next.

13. On the Review and create group page, review your choices, and then choose Create group.

AWS CLI

The following describes how to format a request that creates an AWS Managed Microsoft AD

group with the AWS Directory Service Data CLI. When you create a new group, you must include

your Directory ID number and a group name. You can also add other attributes, such as a group

display name with the DisplayName attribute. For more information, see AWS Directory

Service Data attributes and Group type and group scope.

To create an AWS Managed Microsoft AD group with the AWS CLI

• Open the AWS CLI, and run the following command, replacing the Directory ID, username

and group display name with your AWS Managed Microsoft AD Directory ID, username, and

desired group display name:

Manage users and group with the console or CLI Version 1.0 294

AWS Directory Service Administration Guide

aws ds-data create-group --directory-id d-1234567890 --sam-account-name "your-group-

name" --other-attributes '{ "DisplayName ": { "S": "myGroupDisplayName"} }'

Viewing and updating an AWS Managed Microsoft AD group's details

Use the following procedure to view or update an AWS Managed Microsoft AD group's details

with user and group management or AWS Directory Service Data in either the AWS Management

Console or AWS CLI.

Viewing an AWS Managed Microsoft AD group's detail

You can view a group's details in the AWS Management Console.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Creating an AWS Managed Microsoft AD group.

AWS Management Console

You can view an AWS Managed Microsoft AD group's details in the AWS Management Console.

To view AWS Managed Microsoft AD group's details with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Group. The tab shows a list of groups in your AWS Region.

Manage users and group with the console or CLI Version 1.0 295

AWS Directory Service Administration Guide

5. Choose a group. To ﬁnd groups, enter the group name in the search box under the Groups

section. You're directed to the Group details screen. The Group details screen shows the

following information:

• Member tab lists the users and child groups that are members of your group.

• Parent groups tab lists the parent groups that your group is a member of.

• Properties tab lists the group properties (such as primary information like group name,

group display name, etc.).

AWS CLI

You can view and update an AWS Managed Microsoft AD group's details with the AWS Directory

Service Data CLI.

To view an AWS Managed Microsoft AD group's details with the AWS CLI

The following describes how to view an AWS Managed Microsoft AD group's details with the

AWS CLI.

• To view a group's details, open the AWS CLI, and run the following command, replacing the

Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group

name:

aws ds-data describe-group --directory-id d-1234567890 --sam-account-name "your-

group-name"

To view an AWS Managed Microsoft AD group's group members with the AWS Management

Console

The following describes how to view an AWS Managed Microsoft AD group's members with the

AWS CLI.

• To view a group's details, open the AWS CLI, and run the following command, replacing the

Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group

name:

Manage users and group with the console or CLI Version 1.0 296

AWS Directory Service Administration Guide

aws ds-data list-group-members --directory-id d-1234567890 --sam-account-name "your-

group-name"

Updating an AWS Managed Microsoft AD group's details

Use the following procedure to update an AWS Managed Microsoft AD group's details with user

and group management or AWS Directory Service Data in either the AWS Management Console or

AWS CLI.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Creating an AWS Managed Microsoft AD group.

AWS Management Console

You can update a group's details with the AWS Management Console. For more information, see

AWS Directory Service Data attributes and Group type and group scope

To update an AWS Managed Microsoft AD group's details with the AWS Management

Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Group. The tab shows a list of groups in your AWS Region.

5. Choose a group. To ﬁnd groups, enter the group name in the search box under the Groups

section. You're directed to the Group details screen.

Manage users and group with the console or CLI Version 1.0 297

AWS Directory Service Administration Guide

6. To edit users and child groups that are members of your group, choose Members. From

this tab, you can add and remove users and child groups from your group. For more

information, see Adding and removing members to groups and groups to groups.

7. To edit parent groups that your group is a member of, choose Parent groups. From this tab,

you can add and remove your group from parent groups. For more information, see Adding

and removing members to groups and groups to groups.

8. To edit your group properties, choose Properties, and then choose Edit. Or choose Actions,

and then choose Edit group. Make and review your updates, and then choose Save.

AWS CLI

The following describes how to format a request that updates an AWS Managed Microsoft AD

group's details with the AWS Directory Service Data CLI.

When you update a group, you must include your directory ID number and group name. You

also must include the update type and attribute you want to update in your request, such as

a group email address with the EmailAddress parameter. For more information, see AWS

Directory Service Data attributes and Group type and group scope.

• To update an AWS Managed Microsoft AD group's details with the AWS CLI

To update a group's details, open the AWS CLI, and run the following command, replacing

the Directory ID, group name, update type, and attribute with your AWS Managed

Microsoft AD Directory ID, group name, and desired update type and attribute:

aws ds-data update-group --directory-id d-1234567890 --sam-account-name "your-group-

name" --update-type "your-update-type" --email-address "your-attribute-value"

Deleting an AWS Managed Microsoft AD group

Use the following procedure to delete an AWS Managed Microsoft AD group with user and group

management or AWS Directory Service Data in either the AWS Management Console or AWS CLI.

Manage users and group with the console or CLI Version 1.0 298

AWS Directory Service Administration Guide

Important

When you delete a group, all information about the group is removed, including any

permissions that group members inherit.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Create an AWS Managed Microsoft AD group.

AWS Management Console

You can delete an AWS Managed Microsoft AD group in the AWS Management Console.

To delete an AWS Managed Microsoft AD group with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Group. The tab shows a list of groups in your AWS Region.

5. Choose the group that you want to delete. To ﬁnd groups, enter the group name in the

search box under the Groups section. You're directed to the Group details screen.

6. Choose Delete group. A dialog box appears where you can choose Conﬁrm to delete the

group.

Manage users and group with the console or CLI Version 1.0 299

AWS Directory Service Administration Guide

AWS CLI

The following describes how to format a request that deletes an AWS Managed Microsoft AD

group with the AWS Directory Service Data CLI.

To delete an AWS Managed Microsoft AD group with the AWS CLI

• Open the AWS CLI, and run the following command, replacing the Directory ID and group

name with your AWS Managed Microsoft AD Directory ID and group name:

aws ds-data delete-group --directory-id d-1234567890 --sam-account-name "your-group-

name"

Adding and removing AWS Managed Microsoft AD members to groups and groups

to groups

With the AWS Directory Service Data API, a member can be a user, group, or computer. A user

represents a person or entity that can access your directory. Groups allow you to grant and deny

permissions to more than one user at a time.

Use the following procedures to add or remove an AWS Managed Microsoft AD user to a group or

group to another group with user and group management or AWS Directory Service Data in either

the AWS Management Console or AWS CLI.

Adding a user to a group

Use the following procedure to add an AWS Managed Microsoft AD user to a group with user and

group management or AWS Directory Service Data in either the AWS Management Console or AWS

CLI.

Important

When you add an AWS Managed Microsoft AD user to a group, the user inherits the roles

and permissions assigned to the group. These roles and permissions are part of the user's

group memberships.

Manage users and group with the console or CLI Version 1.0 300

AWS Directory Service Administration Guide

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Create an AWS Managed Microsoft AD user.

• Create an AWS Managed Microsoft AD group.

AWS Management Console

You can add an AWS Managed Microsoft AD member to a group with the AWS Management

Console.

To add AWS Managed Microsoft AD user to a group with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Groups. To ﬁnd groups, enter the group name in the search box under the Groups

section. The tab shows a list of groups in your AWS Region.

5. Choose a group. You're directed to the Group details screen.

6. Choose Members. The tab shows a list of users and child groups by member type in your

group.

7. Under Members tab, Choose Add member.

8. Under Members, select the user you want to add to your group, and then choose Add

member to group. To ﬁnd members, enter the user logon name for users and group name

for groups in the search box under the Members section.

Manage users and group with the console or CLI Version 1.0 301

AWS Directory Service Administration Guide

AWS CLI

The following describes how to format a request that adds an AWS Managed Microsoft AD

member to a group with the AWS Directory Service Data CLI.

To add an AWS Managed Microsoft AD user to a group with the AWS CLI

• To add a user to a group, open the AWS CLI, and run the following command, replacing the

Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID

and group and member names:

aws ds-data add-group-member --directory-id d-1234567890 --group-name "your-group-

name" --member-name "jane.doe"

Removing a user from a group

With the AWS Directory Service Data API, a member can be a user, group, or computer. A user

represents a person or entity that can access your directory. Groups allow you to grant and deny

permissions to more than one user at a time.

Use the following procedure to remove an AWS Managed Microsoft AD user to a group with user

and group management or AWS Directory Service Data in either the AWS Management Console or

AWS CLI.

Important

When you remove an AWS Managed Microsoft AD user from a group, the user loses access

to the roles and permissions assigned to the group. These roles and permissions are part of

the group's memberships.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

Manage users and group with the console or CLI Version 1.0 302

AWS Directory Service Administration Guide

• Create an AWS Managed Microsoft AD user.

• Create an AWS Managed Microsoft AD group.

AWS Management Console

You can remove an AWS Managed Microsoft AD member from a group with the AWS

Management Console.

To remove an AWS Managed Microsoft AD user from a group with the AWS Management

Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Groups. The tab shows a list of groups in your AWS Region.

5. Choose a group. To ﬁnd groups, enter the group name in the search box under the Groups

section. You're directed to the Group details screen.

6. Choose Members. The tab shows a list of users and child groups by member type in your

group.

7. Select the user you want to remove from your group, and then choose Remove. To ﬁnd

users, enter the user logon name in the search box under the Members section.

8. Conﬁrm that you want to remove the user from your group, and then choose Remove

again.

AWS CLI

The following describes how to format a request that removes an AWS Managed Microsoft AD

member from a group with the AWS Directory Service Data CLI.

Manage users and group with the console or CLI Version 1.0 303

AWS Directory Service Administration Guide

To remove an AWS Managed Microsoft AD user from a group with AWS CLI

• To remove a user to a group, open the AWS CLI, and run the following command, replacing

the Directory ID, group and member names with your AWS Managed Microsoft AD

Directory ID, group and member names:

aws ds-data remove-group-member --directory-id d-1234567890 --group-name "your-

group-name" --member-name "jane.doe"

Adding a group to a group

When you add an AWS Managed Microsoft AD group to another group, the groups share a parent-

child relationship. The child group gains access to the roles and permissions that are assigned to

the parent group. You can add a child group to your group and your group to a parent group.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Create an AWS Managed Microsoft AD group.

AWS Management Console

You can add an AWS Managed Microsoft AD group to a group with the AWS Management

Console.

To add a child group to your group with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

Manage users and group with the console or CLI Version 1.0 304

AWS Directory Service Administration Guide

4. Choose Groups. The tab shows a list of groups in your AWS Region.

5. Choose a group. To ﬁnd groups, enter the group name in the search box under the Groups

section. You're directed to the Group details screen.

6. Choose Members. The tab shows a list of users and child groups by member type in your

group.

7. Choose Add member.

8. Under Members, select the child group(s) you want to add to your group, and then choose

Add member to group.

To add a parent group to a group with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Groups. The tab shows a list of groups in your AWS Region.

5. Choose a group. To ﬁnd groups, enter the group name in the search box under the Groups

section. You're directed to the Group details screen.

6. Choose Parent groups. The tab shows a list of groups that your group is a member of.

7. Choose Add parent groups.

8. Under Groups, select the group(s) you want to add your group to, and then choose Add

parent groups again.

AWS CLI

The following describes how to format a request that adds an AWS Managed Microsoft AD

group to a group with the AWS Directory Service Data CLI.

To add a child group to your group with the AWS CLI

• To add a child group to a parent group, open the AWS CLI, and run the following command,

replacing the Directory ID, group and member names with your AWS Managed Microsoft

AD Directory ID, group and member names:

Manage users and group with the console or CLI Version 1.0 305

AWS Directory Service Administration Guide

aws ds-data add-group-member --directory-id d-1234567890 --group-name "parent-group-

name" --member-name "child-group-name"

Removing a group from a group

When you remove an AWS Managed Microsoft AD group from another group, the groups no longer

share a parent-child relationship. The child group loses access to the roles and permissions that are

assigned to the parent group. You can remove a child group from your group and your group from

a parent group.

Before you begin either procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Create an AWS Managed Microsoft AD group.

AWS Management Console

You can remove an AWS Managed Microsoft AD group to a group with the AWS Management

Console.

To remove a child group from your group with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Groups. The tab shows a list of groups in your AWS Region.

5. Choose a group. You're directed to the Group details screen. To ﬁnd groups, enter the

group name in the search box under the Groups section.

Manage users and group with the console or CLI Version 1.0 306

AWS Directory Service Administration Guide

6. Choose Members. The tab shows a list of users and child groups by member type in your

group.

7. Select the child group(s) you want to remove from your group, and then choose Remove.

8. Conﬁrm the child group(s) you want to remove from your group, and then choose Remove

again.

To remove your group from a parent group with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS

Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Groups. The tab shows a list of groups in your AWS Region.

5. Choose a group. You're directed to the Group details screen. To ﬁnd groups, enter the

group name in the search box under the Groups section.

6. Choose Parent groups. The tab shows a list of groups that your group is a member of.

7. Select the parent group you want to remove your group from, and then choose Remove

parent groups.

8. Conﬁrm the parent group you want to remove your group from, and then choose Remove

parent groups again.

AWS CLI

The following describes how to format a request that removes an AWS Managed Microsoft AD

group to a group with the AWS Directory Service Data CLI.

• To remove a child group from a parent group with the AWS CLI

To add remove a child group from a parent group, open the AWS CLI, and run the following

command, replacing the Directory ID, group and member names with your AWS Managed

Microsoft AD Directory ID, group and member names:

Manage users and group with the console or CLI Version 1.0 307

AWS Directory Service Administration Guide

aws ds-data remove-group-member --directory-id d-1234567890 --group-name "parent-

group-name" --member-name "child-group-name"

Copying an AWS Managed Microsoft AD group memberships in the AWS

Management Console

You can copy group memberships from one AWS Managed Microsoft AD user into another user

in the AWS Management Console. Group memberships are the roles and permissions that a user

inherits when you add them to a group.

Before you begin this procedure, you need to complete the following:

• Creating your AWS Managed Microsoft AD.

• To use user and group management or AWS Directory Service Data CLI, it must be enabled. For

more information, see Enable user and group management or Directory Service Data.

• You can only enable this feature from the Primary AWS Region. For more information, see

Primary vs additional Regions.

• Create an AWS Managed Microsoft AD group.

To copy AWS Managed Microsoft AD group memberships with the AWS Management Console

1. Open the AWS Directory Service console at https://console.aws.amazon.com/

directoryservicev2/.

2. From the navigation pane, choose Active Directory, and then choose Directories. You're

directed to the Directories screen where you can view a list of directories in your AWS Region.

3. Choose a directory. You're directed to the Directory details screen.

4. Choose Groups. The tab shows a list of groups in your AWS Region.

5. Choose the user whose account you want to copy their group membership. To ﬁnd a user,

enter the user logon name in the search box under the Users section. You're directed to the

User details screen.

6. Choose Copy all group memberships. You're directed to a procedure where you can specify

which groups you want to copy.

a. For Verify groups to copy, under Groups to copy, select the groups with roles and

permissions you want to copy, and then choose Next.

Manage users and group with the console or CLI Version 1.0 308

AWS Directory Service Administration Guide

b. For Select destination account, under Account type, choose Existing user account to

copy group memberships into an existing user account. Alternatively, choose New user

account to create a new user and copy group memberships into the new user account. To

ﬁnd a group, enter the group's name in the search box under the Selected groups section.

i. (Optional) If you choose Existing user account, select destination accounts where you

want to copy the roles and permissions into, and then choose Next.

ii. (Optional) If you choose New user account, complete the procedure, and then choose

Next. For information about creating a user, see Creating a user.

c. For Review and copy group memberships, review your choices, and then choose Copy

group membership.

Manage users and groups with an Amazon EC2 instance

This section includes procedures for managing users and groups with an Amazon EC2 instance

that's joined to your AWS Managed Microsoft AD.

We recommend managing users and groups with an Amazon EC2 instance if the Directory Service

Data API doesn't support your use case. For more information, see the AWS Directory Service Data

API Reference.

Note

Before you complete any of the procedures in the following topics, you must install the

Active Directory administration tools. For more information, see Install the Active Directory

administration tools.

Topics

• Installing Active Directory Administration Tools for AWS Managed Microsoft AD

• Creating an AWS Managed Microsoft AD user

• Delete a user's account with an Amazon EC2 instance

• Resetting an AWS Managed Microsoft AD user password

• Creating an AWS Managed Microsoft AD group

• Adding an AWS Managed Microsoft AD user to a group

Manage users and groups with an Amazon EC2 instance Version 1.0 309

AWS Directory Service Administration Guide

Installing Active Directory Administration Tools for AWS Managed Microsoft AD

You can manage your AWS Managed Microsoft AD Active Directory using Active Directory Domain

Services and Active Directory Lightweight Directory Services Tools. To use Active Directory Domain

Services and Active Directory Lightweight Directory Services Tools, you'll need to install them.

The following procedures walks you through how you can install these tools on an Amazon EC2

Windows Server instance or with a Windows PowerShell command. Alternatively, you can launch a

directory administration EC2 instance which already has these tools installed.

EC2 Windows Server instance

Before you can begin this procedure, complete the following:

1. Create an AWS Managed Microsoft AD Active Directory. For more information, see Creating

your AWS Managed Microsoft AD.

2. Launch and join an EC2 Windows Server instance to your AWS Managed Microsoft AD

Active Directory. The EC2 instance needs the following policies to create users and groups:

AWSSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess. For more

information, see Launching a directory administration instance in your AWS Managed

Microsoft AD Active Directory and Joining an Amazon EC2 Windows instance to your AWS

Managed Microsoft AD Active Directory.

3. You will need the credentials for your Active Directory domain Administrator. These

credentials were created when the AWS Managed Microsoft AD was created. If you followed

the procedure in Creating your AWS Managed Microsoft AD, your Administrator username

includes your NetBIOS name, corp\admin.

Installing Active Directory administration tools on a EC2 Windows Server instance

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the Amazon EC2 console, choose Instances, select the Windows Server instance, and

then choose Connect.

3. In the Connect to instance page, choose RDP client.

4. In the RDP client tab, choose Download Remote Desktop File, then choose Get Password

to retrieve your password.

5. In the Get Windows password, choose Upload private key ﬁle. Choose the .pem private

key ﬁle associated with the Windows Server instance. After uploading the private key ﬁle,

select Decrypt password.

Manage users and groups with an Amazon EC2 instance Version 1.0 310

AWS Directory Service Administration Guide

6. In the Windows Security dialog box, copy your local administrator credentials for the

Windows Server computer to sign in. The username can be in the following formats:

NetBIOS-Name\admin or DNS-Name\admin. For example, corp\admin would be the

username if you followed the procedure in Creating your AWS Managed Microsoft AD.

7. Once signed in to the Windows Server instance, open Server Manager from the Start menu

by choosing Server Manager.

8. In the Server Manager Dashboard, choose Add roles and features.

9. In the Add Roles and Features Wizard choose Installation Type, select Role-based or

feature-based installation, and choose Next.

10. Under Server Selection, make sure the local server is selected, and choose Features in the

left navigation pane.

11. In the Features tree, select and open Remote Server Administration Tools, Role

Administration Tools, and AD DS and AD LDS Tools. With AD DS and AD LDS Tools

selected, Active Directory module for Windows PowerShell, AD DS Tools, and AD LDS

Snap-ins and Command-Line Tools are selected. Scroll down and select DNS Server Tools,

and then choose Next.

Manage users and groups with an Amazon EC2 instance Version 1.0 311

AWS Directory Service Administration Guide

12. Review the information and choose Install. When the feature installation is ﬁnished, the

Active Directory Domain Services and Active Directory Lightweight Directory Services Tools

are available from the Start menu in the Administrative Tools folder.

Windows PowerShell

You can install the Active Directory Administration Tools using Windows PowerShell. For

example, you can install the Active Directory remote administration tools from a PowerShell

prompt using Install-WindowsFeature RSAT-ADDS. For more information, see Install-

WindowsFeature on the Microsoft website.

Directory administration instance

You can launch a directory administration EC2 instance in the AWS Management Console that

already has the Active Directory Domain Services and Active Directory Lightweight Directory

Services Tools installed by following the procedures in Launching a directory administration

instance in your AWS Managed Microsoft AD Active Directory.

Manage users and groups with an Amazon EC2 instance Version 1.0 312

AWS Directory Service Administration Guide

Creating an AWS Managed Microsoft AD user

You can create AWS Managed Microsoft AD users with the Active Directory Administration Tools

and Windows PowerShell. Before you can create user with the Active Directory Administration

Tools, you'll need to complete the procedure in Installing Active Directory Administration Tools for

AWS Managed Microsoft AD.

Active Directory Administration Tools

Use the following procedure to create an AWS Managed Microsoft AD user with Active Directory

Administration Tools.

1. Connect to the instance where the Active Directory Administration Tools were installed.

2. Open the Active Directory Users and Computers tool from the Windows Start menu. There

is a shortcut to this tool found in the Windows Administrative Tools folder.

Tip

You can run the following from a command prompt on the instance to open the

Active Directory Users and Computers tool box directly.

%SystemRoot%\system32\dsa.msc

3. In the directory tree, select an OU under your directory's NetBIOS name OU where you

want to store your user (for example, corp\Users). For more information about the

OU structure used by directories in AWS, see What gets created with your AWS Managed

Microsoft AD.

Manage users and groups with an Amazon EC2 instance Version 1.0 313

AWS Directory Service Administration Guide

4. On the Action menu, choose New, and then choose User to open the new user wizard.

5. On the ﬁrst page of the wizard, enter the values for the following ﬁelds, and then choose

Next.

• First name

• Last name

• User logon name

6. On the second page of the wizard, enter a temporary password in Password and Conﬁrm

Password. Make sure the User must change password at next logon option is selected.

None of the other options should be selected. Choose Next.

7. On the third page of the wizard, verify that the new user information is correct and choose

Finish. The new user will appear in the Users folder.

Windows PowerShell

Use the following procedure to create an AWS Managed Microsoft AD user with Windows

PowerShell.

1. Connect to the instance joined to your Active Directory domain as the Active Directory

administrator.

2. Open Windows PowerShell.

Manage users and groups with an Amazon EC2 instance Version 1.0 314

AWS Directory Service Administration Guide

Type the following command replacing the username jane.doe with the username of

the user you want to create. You will be prompted by Windows PowerShell to provide a

password for the new user. For more information on Active Directory password complexity

requirements, see Microsoft documentation. For more information on the New-ADUser

command, see Microsoft documentation.

New-ADUser -Name "jane.doe" -Enabled $true -AccountPassword (Read-Host -

AsSecureString 'Password')

Delete a user's account with an Amazon EC2 instance

You can use the following procedure to delete a user with an Amazon EC2 instance that's joined to

your AWS Managed Microsoft AD.

Note

Before you complete this procedure, you must install the Active Directory administration

tools. For more information, see Install the Active Directory administration tools.

To delete a user

1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the

Windows Administrative Tools folder.

Tip

You can run the following from a command prompt on the instance to open the Active

Directory Users and Computers tool box directly.

%SystemRoot%\system32\dsa.msc

2. In the directory tree, select the OU containing the user that you want to delete (for example,

Corp\Users).

3. Select the user you wish to delete. On the Action menu, choose Delete.

Manage users and groups with an Amazon EC2 instance Version 1.0 315

AWS Directory Service Administration Guide

4. A dialog box will appear prompting you to conﬁrm you want to delete the user. Choose Yes to

delete the user.

Deleted users are stored temporarily in the AD Recycle Bin. For more information about the

AD Recycle Bin, see The AD Recycle Bin: Understanding, Implementing, Best Practices, and

Troubleshooting in Microsoft's Ask the Directory Services Team blog.

Resetting an AWS Managed Microsoft AD user password

Users must adhere to password policies as deﬁned in the Active Directory. Sometimes this can get

the best of users, including the Active Directory administrator, and they forget their password.

When this happens, you can quickly reset the user's password using AWS Directory Service if the

user resides AWS Managed Microsoft AD.

You must be signed in as a user with the necessary permissions to reset passwords. For more

information about permissions, see Overview of managing access permissions to your AWS

Directory Service resources.

You can reset the password for any user in your Active Directory with the following exceptions:

• You can reset the password for any user within the Organizational Unit (OU) that is based oﬀ

of the NetBIOS name you used when you created your Active Directory. For example, if you

followed the procedure in Creating your AWS Managed Microsoft AD your NetBIOS name would

be CORP and the users passwords you could reset would be members of Corp/Users OU.

• You cannot reset the password of any user outside of the OU that is based oﬀ the NetBIOS name

you used when you created your Active Directory. For example, you cannot reset the password

for a user in AWS Reserved OU. For more information about the OU structure for AWS Managed

Microsoft AD, see What gets created with your AWS Managed Microsoft AD.

For more information on how the password policies are applied when a password is reset in AWS

Managed Microsoft AD, see How password policies are applied.

You can use any of the following tools to reset an AWS Managed Microsoft AD user password:

• AWS Management Console

• AWS CLI

• Windows PowerShell

Manage users and groups with an Amazon EC2 instance Version 1.0 316

AWS Directory Service Administration Guide

AWS Management Console

Use the following procedure to reset an AWS Managed Microsoft AD user password with the

AWS Management Console.

1. In the AWS Directory Service console navigation pane, under Active Directory, choose

Directories, and then select the Active Directory in the list where you want to reset a user

password.

2. On the Directory details page, choose Actions, and then choose Reset user password.

3. In the Reset user password dialog, in Username type the username of the user whose

password needs to change.

4. Type a password in New password and Conﬁrm password, and then choose Reset

password.

AWS CLI

Use the following procedure to reset an AWS Managed Microsoft AD user password with the

AWS CLI.

1. To install the AWS CLI, see Install or update the latest version of the AWS CLI.

2. Open the AWS CLI.

Type the following command and replace the Directory ID, username jane.doe, and

password P@ssw0rd with your Active Directory Directory ID and desired credentials. See

reset-user-password in the AWS CLI Command Reference for more information.

aws ds reset-user-password --directory-id d-1234567890 --user-name "jane.doe" --new-

password "P@ssw0rd"

Windows PowerShell

Use the following procedure to reset an AWS Managed Microsoft AD user password with the

Windows PowerShell.

1. Connect to the instance joined to your Active Directory domain as the Active Directory

administrator.

2. Open Windows PowerShell.

Manage users and groups with an Amazon EC2 instance Version 1.0 317

AWS Directory Service Administration Guide

Type the following command replacing the username jane.doe, the Directory ID, and

password P@ssw0rd with your Active Directory Directory ID and desired credentials. See

Reset-DSUserPassword Cmdlet for more information.

Reset-DSUserPassword -UserName "jane.doe" -DirectoryId d-1234567890 -NewPassword

"P@ssw0rd"

Creating an AWS Managed Microsoft AD group

You can create groups in your AWS Managed Microsoft AD. Use the following procedure to create

a security group with an Amazon EC2 instance that is joined to your AWS Managed Microsoft AD

directory. Before you can create security groups, you need to complete the procedures in Installing

the Active Directory Administration Tools.

Active Directory Administration Tools

Use the following procedures to create an AWS Managed Microsoft AD group with Active

Directory Administration Tools.

To create a group

1. Connect to the instance where the Active Directory Administration Tools were installed.

2. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the

Administrative Tools folder.

Tip

You can run the following from a command prompt on the instance to open the

Active Directory Users and Computers tool box directly.

%SystemRoot%\system32\dsa.msc

3. In the directory tree, select an OU under your directory's NetBIOS name OU where you

want to store your group (for example, Corp\Users). For more information about the OU

structure used by directories in AWS, see What gets created with your AWS Managed

Microsoft AD.

Manage users and groups with an Amazon EC2 instance Version 1.0 318

AWS Directory Service Administration Guide

4. On the Action menu, click New, and then click Group to open the new group wizard.

5. Type a name for the group in Group name, select a Group scope that meets your needs,

and select Security for the Group type. For more information on Active Directory group

scope and security groups, see Active Directory security groups in Microsoft Windows

Server documentation.

6. Click OK. The new security group will appear in the Users folder.

Windows PowerShell

You can use Windows PowerShell commands to create groups. For more information, see New-

ADGroup in Windows Server 2022 PowerShell documentation.

Adding an AWS Managed Microsoft AD user to a group

You can add AWS Managed Microsoft AD users to a group. Use the following procedure to add

a user to a security group with an Amazon EC2 instance that is joined to your AWS Managed

Microsoft AD directory.

Manage users and groups with an Amazon EC2 instance Version 1.0 319

AWS Directory Service Administration Guide

Active Directory Administration Tools

To add a user to a group

1. Connect to the instance where the Active Directory Administration Tools were installed.

2. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the

Administrative Tools folder.

Tip

You can run the following from a command prompt on the instance to open the

Active Directory Users and Computers tool box directly.

%SystemRoot%\system32\dsa.msc

3. In the directory tree, select the OU under your directory's NetBIOS name OU where you

stored your group, and select the group that you want to add a user as a member.

4. On the Action menu, click Properties to open the properties dialog box for the group.

5. Select the Members tab and click Add.

Manage users and groups with an Amazon EC2 instance Version 1.0 320

AWS Directory Service Administration Guide

6. For Enter the object names to select, type the username you want to add and click OK.

The name will be displayed in the Members list. Click OK again to update the group

membership.

7. Verify that the user is now a member of the group by selecting the user in the Users folder

and clicking Properties in the Action menu to open the properties dialog box. Select the

Member Of tab. You should see the name of the group in the list of groups that the user

belongs to.

AWS Directory Service Data

AWS Directory Service Data is an extension of AWS Directory Service. You can create, read, update,

and Active Directory (AD) users, groups, and memberships from an AWS Directory Service for

Microsoft Active Directory without deploying dedicated AD management instances on an Amazon

EC2 instance. You can also perform built-in object management tasks across directories without

any direct network connectivity. This simpliﬁes provisioning and access management to achieve

fully automated deployments. For more information, see the AWS Directory Service Data API

Reference .

Directory Service Data supports user and group write operations, like CreateUser and

CreateGroup, within the AWS Managed Microsoft AD that's in your organizational unit (OU).

Directory Service Data supports read operations, like ListUsers and ListGroups, on all users,

groups, and group memberships within the AWS Managed Microsoft AD and across trusted realms.

Directory Service Data supports adding and removing group members from groups in your OU

and the AWS Delegated Groups OU, so you can delegate permissions by adding users to speciﬁc

delegated group objects. For more information, see User and group management in AWS Managed

Microsoft AD.

Note

Directory Service Data is only available in your Primary Region. For more information, see

Primary vs additional Regions.

Topics

• Replication and consistency

• AWS Directory Service Data attributes

Directory Service Data Version 1.0 321

AWS Directory Service Administration Guide

• Group type and group scope

Replication and consistency

The Directory Service Data API connects to your AWS Managed Microsoft AD domain controllers to

perform operations on the underlying directory objects. Active Directory is an eventually consistent

platform, and replication is continuously occurring between AWS Directory Service directory

domain controllers. By default, every AWS Directory Service directory is created with two domain

controllers.

Directory Service Data attempts to maintain a consistent experience by utilizing the same domain

controller across requests. In the event that a domain controller is unavailable, Directory Service

Data switches to an alternative domain controller. During these events, you might notice eventual

consistency across domain controllers while objects are replicated across domain controllers.

Directory limits vary by AWS Managed Microsoft AD edition:

• Standard edition – Supports 8 transactions per second for read operations and 4 TPS for write

operations per directory.

Note

There's a concurrency limit of 10 concurrent requests.

• Enterprise edition – Supports 16 transactions per second for read operations and 8 TPS for write

operations per directory.

Note

There's a concurrency limit of 10 concurrent requests.

• AWS account – Supports a total of 100 transactions per second for Directory Service Data

operations across all directories.

AWS Directory Service Data attributes

This topic describes how to work with attributes in the AWS Directory Service Data API Reference.

Replication and consistency Version 1.0 322

AWS Directory Service Administration Guide

Request Attributes

The following attributes must be deﬁned in the request body parameters. For an example of how

to deﬁne these attributes, see CreateGroup in the AWS Directory Service Data API Reference.

Directory

Service

Data

attribute

name

LDAP

display

name

AWS

Managemen

Console

PowerShel

l alias

Access

type

Object

type

Attribute

value

Searchabl

Distingui

shedName

distingui

shedName

Distingui

shed

name

None ReadOnly User,

Group

String No

EmailAddr

ess

mail Email

address

EmailAddr

ess

Creatable User String Yes

Enabled None Enabled Enabled Mutable User Boolean No

GivenName givenName First

Name

GivenName Creatable User String Yes

GroupScop

groupScop

Group

scope

None Creatable Group Enum No

GroupType groupType Group

type

None Creatable Group Enum No

SamAccoun

tName

sAMAccoun

tName

User

logon

name

sAMAccoun

tName

Creatable User,

Group

String Yes

SID objectSid User /

Group

security

identiﬁer

(SID)

SID ReadOnly User,

Group

String No

AWS Directory Service Data attributes Version 1.0 323

AWS Directory Service Administration Guide

Directory

Service

Data

attribute

name

LDAP

display

name

AWS

Managemen

Console

PowerShel

l alias

Access

type

Object

type

Attribute

value

Searchabl

Surname sn Last

name

Surname Creatable User String Yes

UserPrinc

ipalName

userPrinc

ipalName

User

principal

name

UserPrinc

ipalName

ReadOnly User String No

Other Attributes

The following attributes must be deﬁned in OtherAttributes and don't map to any request

body parameters. When you deﬁne other attributes in your requests, you must specify the

attribute name, data type, and the value for each attribute. For an example of how to deﬁne these

attributes, see CreateUser in the AWS Directory Service Data API Reference.

Note

The names of these attributes are case insensitive when provided as inputs and the

equivalent of the LDAP display name.

Directory

Service

Data

attribute

name

LDAP

display

name

AWS

Managemen

Console

PowerShel

l alias

Access

type

Object

type

Attribute

value

Searchabl

Assistant assistant Assistant None ReadOnly User String No

Cn cn Common

Name

None ReadOnly User,

Group

String No

AWS Directory Service Data attributes Version 1.0 324

AWS Directory Service Administration Guide

Directory

Service

Data

attribute

name

LDAP

display

name

AWS

Managemen

Console

PowerShel

l alias

Access

type

Object

type

Attribute

value

Searchabl

Co co Country/

region

Country Mutable User String No

Company company Company Company Creatable User String No

Departmen

departmen

Departmen

Creatable User String No

Descripti

descripti

Descripti

Creatable User,

Group

String No

DirectRep

orts

directRep

orts

Direct

reports

None ReadOnly User String

set

DisplayNa

displayNa

Display

name

DisplayNa

Creatable User,

Group

String Yes

Facsimile

Telephone

Number

facsimile

Telephone

Number

Fax Fax Creatable User,

Group

String No

HomePhonehomePhone Home

phone

number

HomePhoneCreatable User String No

Info info Notes None Mutable User,

Group

String No

Initials initials Initials Initials ReadOnly User String No

IpPhone ipPhone IP Phone None Mutable User String No

L l City City Creatable User String Yes

AWS Directory Service Data attributes Version 1.0 325

AWS Directory Service Administration Guide

Directory

Service

Data

attribute

name

LDAP

display

name

AWS

Managemen

Console

PowerShel

l alias

Access

type

Object

type

Attribute

value

Searchabl

Manager manager Manager Manager Mutable User String No

Mail mail Email

address

EmailAddr

ess

Mutable Group String Yes

Mobile mobile Mobile

phone

number

MobilePho

Mutable User String No

ObjectCla

objectCla

User /

Group

None ReadOnly Group String No

ObjectGUI

objectGUI

Global

unique

identiﬁer

(GUID)

None ReadOnly User,

Group

String No

Pager pager Pager None Mutable User String No

PhysicalD

eliveryOf

ﬁceName

physicalD

eliveryOf

ﬁceName

Oﬃce None Creatable User String Yes

PostalCod

postalCod

Zip/

Postal

code

PostalCod

Creatable User String No

Preferred

Language

preferred

Language

Preferred

language

None Mutable User String No

ProxyAddr

esses

proxyAddr

esses

Proxy

address

None ReadOnly User,

Group

Multi-

valued

string

Yes

AWS Directory Service Data attributes Version 1.0 326

AWS Directory Service Administration Guide

Directory

Service

Data

attribute

name

LDAP

display

name

AWS

Managemen

Console

PowerShel

l alias

Access

type

Object

type

Attribute

value

Searchabl

ServicePr

incipalNa

servicePr

incipalNa

Service

principal

name

ServicePr

incipalNa

Mutable User Multi-

valued

string

St st State/

Province

State Creatable User String No

StreetAdd

ress

streetAdd

ress

Street

address

StreetAdd

ress

Creatable User String No

Telephone

Number

telephone

Number

Telephone

number

OﬃcePho

Creatable User String No

Title title Job title Title ReadOnly User String No

WhenChang

whenChang

Last

updated

None ReadOnly User,

Group

String No

WWWHomePa

wWWHomePa

Home

page URL

wWWHomePa

Mutable User,

Group

String No

Group type and group scope

Groups in AWS Managed Microsoft AD have both a group type and a group scope. See the

following sections for more information on each.

Topics

• Group type

• Group scope

Group type and group scope Version 1.0 327

AWS Directory Service Administration Guide

Group type

Group type determines which shared resources within the Active Directory the group members can

access. There are two group types:

• Security - You can assign permissions to these groups so that group members can access shared

Active Directory resources.

• Distribution - You can use this type to create email distribution lists. These group members

cannot access Active Directory shared resources.

There are no limitations when changing between group types.

For more information about group types, see Microsoft documentation.

Group scope

Group scope determines how group members are deﬁned with the domain tree or forest. There are

three group scopes:

• Domain local - to assign permissions to group members located in the same domain.

• Universal - to assign permissions to group members located within any domain.

• Global - to assign permissions to group members located within any domain or forest.

There are limitations when changing a group scope. The following list and diagram outline these

limitations.

• Changing group scope from Domain Local to Universal - Yes

• Unless the domain local group is a parent of another domain local group.

• Changing group scope from Universal to Domain Local - Yes

• Unless the universal group is a child group of another universal group.

• Changing group scope from Universal to Global - Yes

• Unless the universal group is a parent of another universal group.

• Changing group scope from Global to Universal - Yes

• Unless the global group is a child of another global group.

For more information about group scopes, see Microsoft documentation.

Group type and group scope Version 1.0 328

AWS Directory Service Administration Guide

Connecting your AWS Managed Microsoft AD to Microsoft Entra

Connect Sync

This tutorial walks you through the necessary steps to install Microsoft Entra Connect Sync to sync

your Microsoft Entra ID to your AWS Managed Microsoft AD.

In this tutorial, you do the following:

1. Create an AWS Managed Microsoft AD domain user.

2. Download Entra Connect Sync.

3. Use Windows PowerShell to run a script to provision the appropriate permissions for the newly

created user.

4. Install Entra Connect Sync.

Prerequisites

You will need the following to complete this tutorial:

• An AWS Managed Microsoft AD. For more information, see the section called “Creating your AWS

Managed Microsoft AD”.

• An Amazon EC2 Windows Server instance joined to your AWS Managed Microsoft AD. For more

information, see Joining a Windows instance.

Connecting to Microsoft Entra Connect Sync Version 1.0 329

AWS Directory Service Administration Guide

• An EC2 Windows Server with Active Directory Administration Tools installed to manage your

AWS Managed Microsoft AD. For more information, see the section called “Installing AD

Administration Tools”.

Create an Active Directory domain user

This tutorial assumes you already have an AWS Managed Microsoft AD as well as an EC2 Windows

Server instance with Active Directory Administration Tools installed. For more information, see the

section called “Installing AD Administration Tools”.

1. Connect to the instance where the Active Directory Administration Tools were installed.

2. Create an AWS Managed Microsoft AD domain user. This user will become the Active Directory

Directory Service (AD DS) Connector account for Entra Connect Sync. For detailed steps on this

process, see the section called “Creating a user”.

Download Entra Connect Sync

• Download Entra Connect Sync from Microsoft website onto the EC2 instance that is the AWS

Managed Microsoft AD admin.

Warning

Do not open or run Entra Connect Sync at this point. The next steps will provision the

necessary permissions for your domain user created in Step 1.

Run Windows PowerShell Script

• Open PowerShell as an Administrator and run the following script. While the script is running,

you will be asked to enter the sAMAccountName for the newly created domain user from Step

$modulePath = "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig

\AdSyncConfig.psm1"

try {

Create an Active Directory domain user Version 1.0 330

AWS Directory Service Administration Guide

# Attempt to import the module

Write-Host -ForegroundColor Green "Importing Module for Azure Entra Connect..."

Import-Module $modulePath -ErrorAction Stop

Write-Host -ForegroundColor Green "Success!"

}

catch {

# Display the exception message

Write-Host -ForegroundColor Red "An error occurred: $($_.Exception.Message)"

}

Function Set-EntraConnectSvcPerms {

[CmdletBinding()]

Param (

[String]$ServiceAccountName

)

#Requires -Modules 'ActiveDirectory' -RunAsAdministrator

Try {

$Domain = Get-ADDomain -ErrorAction Stop

} Catch [System.Exception] {

Write-Output "Failed to get AD domain information $_"

}

$BaseDn = $Domain | Select-Object -ExpandProperty 'DistinguishedName'

$Netbios = $Domain | Select-Object -ExpandProperty 'NetBIOSName'

Try {

$OUs = Get-ADOrganizationalUnit -SearchBase "OU=$Netbios,$BaseDn" -

SearchScope 'Onelevel' -Filter * -ErrorAction Stop | Select-Object -ExpandProperty

'DistinguishedName'

} Catch [System.Exception] {

Write-Output "Failed to get OUs under OU=$Netbios,$BaseDn $_"

}

Try {

$ADConnectorAccountDN = Get-ADUser -Identity $ServiceAccountName -ErrorAction

Stop | Select-Object -ExpandProperty 'DistinguishedName'

} Catch [System.Exception] {

Write-Output "Failed to get service account DN $_"

}

Foreach ($OU in $OUs) {

try {

Run Windows PowerShell Script Version 1.0 331

AWS Directory Service Administration Guide

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN

$ADConnectorAccountDN -ADobjectDN $OU -Confirm:$false -ErrorAction Stop

Write-Host "Permissions set successfully for $ADConnectorAccountDN and $OU"

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN $ADConnectorAccountDN -

ADobjectDN $OU -Confirm:$false -ErrorAction Stop

Write-Host "Basic read permissions set successfully for $ADConnectorAccountDN

on OU $OU"

}

catch {

Write-Host "An error occurred while setting permissions for

$ADConnectorAccountDN on OU $OU : $_"

}

Install Entra Connect Sync

1. Once the script has completed, you can run the downloaded Microsoft Entra Connect (formerly

known as Azure Active Directory Connect) conﬁguration ﬁle.

2. A Microsoft Azure Active Directory Connect window opens after running the conﬁguration ﬁle

from the previous step. On the Express Settings window, select Customize.

Install Entra Connect Sync Version 1.0 332

AWS Directory Service Administration Guide

3. On the Install required components window, select the Use an existing service account

checkbox. In SERVICE ACCOUNT NAME and SERVICE ACCOUNT PASSWORD, enter the AD DS

Connector account name and password for the user you created in Step 1. For example, if your

AD DS Connector account name is entra, the account name would be corp\entra. Then

select Install.

Install Entra Connect Sync Version 1.0 333

AWS Directory Service Administration Guide

4. On the User Sign-in window, select one of the following options:

a. Pass-through Authentication - This option allows you to sign in to your Active Directory

with your username and password.

b. Do not conﬁgure - This allows you to use federated sign in with Microsoft Entra (formerly

known as Azure Active Directory (Azure AD)) or Oﬃce 365.

Then select Next.

5. On the Connect to Azure window, enter your Global Administrator username and password for

Entra ID and select Next.

6. On the Connect your directories window, choose Active Directory for DIRECTORY TYPE.

Choose the forest for your AWS Managed Microsoft AD for FOREST. Then select Add

Directory.

Install Entra Connect Sync Version 1.0 334

AWS Directory Service Administration Guide

7. A pop-up box appears requesting your account options. Select Use existing AD account. Enter

the AD DS Connector account username and password created in Step 1 and then select OK.

Then select Next.

8. On the Azure AD Sign-in window, select Continue without matching all UPN suﬃxes to

veriﬁed domains, only if you do not have a veriﬁed vanity domain added to Entra ID. Then

select Next.

9. On Domain/OU ﬁltering window, select the options to suit your needs. For more information,

see Entra Connect Sync: Conﬁgure ﬁltering in Microsoft documentation. Then select Next.

10. On the Identifying Users, Filtering and Optional Features window, keep the default values

and select Next.

11. On the Conﬁgure window, review the conﬁguration settings and select Conﬁgure. The

installation for Entra Connect Sync will ﬁnalize and users will begin to synchronize with

Microsoft Entra ID.

AWS Managed Microsoft AD test lab tutorials

This section provides a series of guided tutorials to help you establish a test lab environment in

AWS where you can experiment with AWS Managed Microsoft AD.

Topics

• Tutorial: Setting up your base AWS Managed Microsoft AD test lab in AWS

AWS Managed Microsoft AD test lab tutorials Version 1.0 335

AWS Directory Service Administration Guide

• Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory

installation on Amazon EC2

Tutorial: Setting up your base AWS Managed Microsoft AD test lab in

AWS

This tutorial teaches you how to set up your AWS environment to prepare for a new AWS Managed

Microsoft AD installation that uses a new Amazon EC2 instance running Windows Server 2019.

It then teaches you to use typical Active Directory administration tools to manage your AWS

Managed Microsoft AD environment from your EC2 Windows instance. By the time you complete

the tutorial, you will have set up the network prerequisites and have conﬁgured a new AWS

Managed Microsoft AD forest.

As shown in the following illustration, the lab you create from this tutorial is the foundational

component for hands-on learning about AWS Managed Microsoft AD. You can later add optional

tutorials for more hands-on experience. This tutorial series is ideal for anyone who is new to

AWS Managed Microsoft AD and wants a test lab for evaluation purposes. This tutorial takes

approximately 1 hour to complete.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 336

AWS Directory Service Administration Guide

Step 1: Set up your AWS environment for AWS Managed Microsoft AD Active Directory

After you've completed your prerequisite tasks, you create and conﬁgure an Amazon VPC in

your EC2 instance.

Step 2: Create your AWS Managed Microsoft AD Active Directory

In this step, you set up AWS Managed Microsoft AD in AWS for the ﬁrst time.

Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed Microsoft AD Active

Directory

Here, you walk through the various post-deployment tasks necessary for client computers to

connect to your new domain and set up a new Windows Server system in EC2.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 337

AWS Directory Service Administration Guide

Step 4: Verify that the base test lab is operational

Finally, as an administrator, you verify that you can log in and connect to AWS Managed

Microsoft AD from your Windows Server system in EC2. Once you've successfully tested that the

lab is operational, you can continue to add other test lab guide modules.

Prerequisites

If you plan to use only the UI steps in this tutorial to create your test lab, you can skip this

prerequisites section and move on to Step 1. However, if you plan to use either AWS CLI commands

or AWS Tools for Windows PowerShell modules to create your test lab environment, you must ﬁrst

conﬁgure the following:

• IAM user with the access and secret access key – An IAM user with an access key is required if

you want to use the AWS CLI or AWS Tools for Windows PowerShell modules. If you do not have

an access key, see Creating, modifying, and viewing access keys (AWS Management Console).

• AWS Command Line Interface (optional) – Download and Install the AWS CLI on Windows.

Once installed, open the command prompt or Windows PowerShell window, and then type aws

configure. Note that you need the access key and secret key to complete the setup. See the

ﬁrst prerequisite for steps on how to do this. You will be prompted for the following:

•

AWS access key ID [None]: AKIAIOSFODNN7EXAMPLE

•

AWS secret access key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

•

Default Region name [None]: us-west-2

•

Default output format [None]: json

• AWS Tools for Windows PowerShell (optional) – Download and install the latest version of

the AWS Tools for Windows PowerShell from https://aws.amazon.com/powershell/, and then

run the following command. Note that you need your access key and secret key to complete the

setup. See the ﬁrst prerequisite for the steps on how to do this.

Set-AWSCredentials -AccessKey {AKIAIOSFODNN7EXAMPLE} -SecretKey

{wJalrXUtnFEMI/K7MDENG/ bPxRfiCYEXAMPLEKEY} -StoreAs {default}

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 338

AWS Directory Service Administration Guide

Step 1: Set up your AWS environment for AWS Managed Microsoft AD Active

Directory

Before you can create AWS Managed Microsoft AD in your AWS test lab, you ﬁrst need to set up

your Amazon EC2 key pair so that all login data is encrypted.

Create a key pair

If you already have a key pair, you can skip this step. For more information about Amazon EC2 key

pairs, see Create key pairs.

To create a key pair

1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://

console.aws.amazon.com/ec2/.

2. In the navigation pane, under Network & Security, choose Key Pairs, and then choose Create

Key Pair.

For Key pair name, type AWS-DS-KP. For Key pair ﬁle format, select pem, and then choose

Create.

4. The private key ﬁle is automatically downloaded by your browser. The ﬁle name is the name

you speciﬁed when you created your key pair with an extension of .pem. Save the private key

ﬁle in a safe place.

Important

This is the only chance for you to save the private key ﬁle. You need to provide the

name of your key pair when you launch an instance and the corresponding private key

each time you decrypt the password for the instance.

Create, conﬁgure, and peer two Amazon VPCs

As shown in the following illustration, by the time you ﬁnish this multi-step process you will have

created and conﬁgured two public VPCs, two public subnets per VPC, one Internet Gateway per

VPC, and one VPC Peering connection between the VPCs. We chose to use public VPCs and subnets

for the purpose of simplicity and cost. For production workloads, we recommend that you use

private VPCs. For more information about improving VPC Security, see Security in Amazon Virtual

Private Cloud.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 339

AWS Directory Service Administration Guide

All of the AWS CLI and PowerShell examples use the VPC information from below and are built

in us-west-2. You may choose any supported Region to build you environment in. For general

information, see What is Amazon VPC?.

Step 1: Create two VPCs

In this step, you need to create two VPCs in the same account using the speciﬁed parameters in the

following table. AWS Managed Microsoft AD supports the use of separate accounts with the Share

your AWS Managed Microsoft AD feature. The ﬁrst VPC will be used for AWS Managed Microsoft

AD. The second VPC will be used for resources that can be used later in Tutorial: Creating a trust

from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 340

AWS Directory Service Administration Guide

Managed Active Directory VPC information On-premises VPC information

Name tag: AWS-DS-VPC01

IPv4 CIDR block: 10.0.0.0/16

IPv6 CIDR block: No IPv6 CIDR Block

Tenancy: Default

Name tag: AWS-OnPrem-VPC01

IPv4 CIDR block: 10.100.0.0/16

IPv6 CIDR block: No IPv6 CIDR Block

Tenancy: Default

For detailed instructions, see Creating a VPC.

Step 2: Create two subnets per VPC

After you have created the VPCs you will need to create two subnets per VPC using the speciﬁed

parameters in the following table. For this test lab each subnet will be a /24. This will allows up

to 256 addresses to be issued per subnet. Each subnet must be a in a separate AZ. Putting each

subnet in a separate in AZ is one of the Prerequisites for creating a AWS Managed Microsoft AD.

AWS-DS-VPC01 subnet Information: AWS-OnPrem-VPC01 subnet information

Name tag: AWS-DS-VPC01-Subnet01

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01

Availability Zone: us-west-2a

IPv4 CIDR block: 10.0.0.0/24

Name tag: AWS-OnPrem-VPC01-Subnet01

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-

VPC01

Availability Zone: us-west-2a

IPv4 CIDR block: 10.100.0.0/24

Name tag: AWS-DS-VPC01-Subnet02

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01

Availability Zone: us-west-2b

IPv4 CIDR block: 10.0.1.0/24

Name tag: AWS-OnPrem-VPC01-Subnet02

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-

VPC01

Availability Zone: us-west-2b

IPv4 CIDR block: 10.100.1.0/24

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 341

AWS Directory Service Administration Guide

For detailed instructions, see Creating a subnet in your VPC.

Step 3: Create and attach an Internet Gateway to your VPCs

Since we are using public VPCs you will need to create and attach an Internet gateway to your VPCs

using the speciﬁed parameters in the following table. This will allow you to be able to connect to

and manage your EC2 instances.

AWS-DS-VPC01 Internet Gateway informati

AWS-OnPrem-VPC01 Internet Gateway

information

Name tag: AWS-DS-VPC01-IGW

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01

Name tag: AWS-OnPrem-VPC01-IGW

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-

VPC01

For detailed instructions, see Internet gateways.

Step 4: Conﬁgure a VPC peering connection between AWS-DS-VPC01 and AWS-OnPrem-VPC01

Since you already created two VPCs earlier, you will need to network them together using VPC

peering using the speciﬁed parameters in the following table. While there are many ways to

connect your VPCs, this tutorial will use VPC Peering. AWS Managed Microsoft AD supports many

solutions to connect your VPCs, some of these include VPC peering, Transit Gateway, and VPN.

Peering connection name tag: AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer

VPC (Requester): vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01

Account: My Account

Region: This Region

VPC (Accepter): vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01

For instructions on how to create a VPC Peering Connection with another VPC from with in your

account, see Creating a VPC peering connection with another VPC in your account.

Step 5: Add two routes to each VPC’s main route table

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 342

AWS Directory Service Administration Guide

In order for the Internet Gateways and VPC Peering Connection created in the previous steps

to be functional you will need to update the main route table of both VPCs using the speciﬁed

parameters in the following table. You will be adding two routes; 0.0.0.0/0 which will route to all

destinations not explicitly known to the route table and 10.0.0.0/16 or 10.100.0.0/16 which will

route to each VPC over the VPC Peering Connection established above.

You can easily ﬁnd the correct route table for each VPC by ﬁltering on the VPC name tag (AWS-DS-

VPC01 or AWS-OnPrem-VPC01).

AWS-DS-VPC01

route 1 information

AWS-DS-VPC01

route 2 information

AWS-OnPrem-VPC01

route 1 Information

AWS-OnPrem-VPC01

route 2 Information

Destination: 0.0.0.0/0

Target: igw-xxxxx

xxxxxxxxxxxx AWS-

DS-VPC01-IGW

Destination:

10.100.0.0/16

Target: pcx-xxxxx

xxxxxxxxxxxx AWS-

DS-VPC01&AWS-O

nPrem-VPC01-Peer

Destination: 0.0.0.0/0

Target: igw-xxxxx

xxxxxxxxxxxx AWS-

Onprem-VPC01

Destination: 10.0.0.0/

Target: pcx-xxxxx

xxxxxxxxxxxx AWS-

DS-VPC01&AWS-O

nPrem-VPC01-Peer

For instructions on how to add routes to a VPC route table, see Adding and removing routes from a

route table.

Create security groups for Amazon EC2 instances

By default, AWS Managed Microsoft AD creates a security group to manage traﬃc between its

domain controllers. In this section, you will need to create 2 security groups (one for each VPC)

which will be used to manage traﬃc within your VPC for your EC2 instances using the speciﬁed

parameters in the following tables. You also add a rule that allows RDP (3389) inbound from

anywhere and for all traﬃc types inbound from the local VPC. For more information, see Amazon

EC2 security groups for Windows instances.

AWS-DS-VPC01 security group information:

Security group name: AWS DS Test Lab Security Group

Description: AWS DS Test Lab Security Group

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 343

AWS Directory Service Administration Guide

AWS-DS-VPC01 security group information:

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01

Security Group Inbound Rules for AWS-DS-VPC01

Type Protocol Port range Source Type of traﬃc

Custom TCP

Rule

TCP 3389 My IP Remote Desktop

All Traﬃc All All 10.0.0.0/16 All local VPC

traﬃc

Security Group Outbound Rules for AWS-DS-VPC01

Type Protocol Port range Destination Type of traﬃc

All Traﬃc All All 0.0.0.0/0 All traﬃc

AWS-OnPrem-VPC01 security group information:

Security group name: AWS OnPrem Test Lab Security Group.

Description: AWS OnPrem Test Lab Security Group.

VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01

Security Group Inbound Rules for AWS-OnPrem-VPC01

Type Protocol Port range Source Type of traﬃc

Custom TCP

Rule

TCP 3389 My IP Remote Desktop

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 344

AWS Directory Service Administration Guide

Type Protocol Port range Source Type of traﬃc

Custom TCP

Rule

TCP 53 10.0.0.0/16 DNS

Custom TCP

Rule

TCP 88 10.0.0.0/16 Kerberos

Custom TCP

Rule

TCP 389 10.0.0.0/16 LDAP

Custom TCP

Rule

TCP 464 10.0.0.0/16 Kerberos

change / set

password

Custom TCP

Rule

TCP 445 10.0.0.0/16 SMB / CIFS

Custom TCP

Rule

TCP 135 10.0.0.0/16 Replication

Custom TCP

Rule

TCP 636 10.0.0.0/16 LDAP SSL

Custom TCP

Rule

TCP 49152 - 65535 10.0.0.0/16 RPC

Custom TCP

Rule

TCP 3268 - 3269 10.0.0.0/16 LDAP GC & LDAP

GC SSL

Custom UDP

Rule

UDP 53 10.0.0.0/16 DNS

Custom UDP

Rule

UDP 88 10.0.0.0/16 Kerberos

Custom UDP

Rule

UDP 123 10.0.0.0/16 Windows Time

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 345

AWS Directory Service Administration Guide

Type Protocol Port range Source Type of traﬃc

Custom UDP

Rule

UDP 389 10.0.0.0/16 LDAP

Custom UDP

Rule

UDP 464 10.0.0.0/16 Kerberos

change / set

password

All Traﬃc All All 10.100.0.0/16 All local VPC

traﬃc

Security Group Outbound Rules for AWS-OnPrem-VPC01

Type Protocol Port range Destination Type of traﬃc

All Traﬃc All All 0.0.0.0/0 All traﬃc

For detailed instructions on how to create and add rules to your security groups, see Working with

security groups.

Step 2: Create your AWS Managed Microsoft AD Active Directory

You can use three diﬀerent methods to create your directory. You can use the AWS Management

Console procedure (recommended for this tutorial) or you can use either the AWS CLI or AWS Tools

for Windows PowerShell procedures to create your directory.

Method 1: To create your AWS Managed Microsoft AD directory (AWS Management Console)

1. In the AWS Directory Service console navigation pane, choose Directories and then choose Set

up directory.

2. On the Select directory type page, choose AWS Managed Microsoft AD, and then choose

Next.

3. On the Enter directory information page, provide the following information, and then choose

Next.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 346

AWS Directory Service Administration Guide

• For Edition, select either Standard Edition or Enterprise Edition. For more information

about editions, see AWS Directory Service for Microsoft Active Directory.

•

For Directory DNS name, type corp.example.com.

•

For Directory NetBIOS name, type corp.

•

For Directory description, type AWS DS Managed.

• For Admin password, type the password you want to use for this account and type the

password again in Conﬁrm password. This Admin account is automatically created during

the directory creation process. The password cannot include the word admin. The directory

administrator password is case sensitive and must be between 8 and 64 characters in

length, inclusive. It must also contain at least one character from three of the following four

categories:

• Lowercase letters (a-z)

• Uppercase letters (A-Z)

• Numbers (0-9)

• Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

4. On the Choose VPC and subnets page, provide the following information, and then choose

Next.

• For VPC, choose the option that begins with AWS-DS-VPC01 and ends with (10.0.0.0/16).

• For Subnets, choose the 10.0.0.0/24 and 10.0.1.0/24 public subnets.

5. On the Review & create page, review the directory information and make any necessary

changes. When the information is correct, choose Create directory. Creating the directory

takes 20 to 40 minutes. Once created, the Status value changes to Active.

Method 2: To create your AWS Managed Microsoft AD (Windows PowerShell) (Optional)

1. Open Windows PowerShell.

2. Type the following command. Make sure to use the values provided in Step 4 of the preceding

AWS Management Console procedure.

New-DSMicrosoftAD -Name corp.example.com –ShortName corp –Password P@ssw0rd

–Description “AWS DS Managed” - VpcSettings_VpcId vpc-xxxxxxxx -

VpcSettings_SubnetId subnet-xxxxxxxx, subnet-xxxxxxxx

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 347

AWS Directory Service Administration Guide

Method 3: To create your AWS Managed Microsoft AD (AWS CLI) (Optional)

1. Open the AWS CLI.

2. Type the following command. Make sure to use the values provided in Step 4 of the preceding

AWS Management Console procedure.

aws ds create-microsoft-ad --name corp.example.com --short-name corp --

password P@ssw0rd --description "AWS DS Managed" --vpc-settings VpcId= vpc-

xxxxxxxx,SubnetIds= subnet-xxxxxxxx, subnet-xxxxxxxx

Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed Microsoft

AD Active Directory

For this lab, we are using Amazon EC2 instances that have public IP addresses to make it easy to

access the management instance from anywhere. In a production setting, you can use instances

that are in a private VPC that are only accessible through a VPN or AWS Direct Connect link. There

is no requirement the instance have a public IP address.

In this section, you walk through the various post-deployment tasks necessary for client computers

to connect to your domain using the Windows Server on your new EC2 instance. You use the

Windows Server in the next step to verify that the lab is operational.

Optional: Create a DHCP options set in AWS-DS-VPC01 for your directory

In this optional procedure, you set up a DHCP option scope so that EC2 instances in your VPC

automatically use your AWS Managed Microsoft AD for DNS resolution. For more information, see

DHCP options sets.

To create a DHCP options set for your directory

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose DHCP Options Sets, and then choose Create DHCP options set.

3. On the Create DHCP options set page, provide the following values for your directory:

•

For Name, type AWS DS DHCP.

•

For Domain name, type corp.example.com.

• For Domain name servers, type the IP addresses of your AWS provided directory's DNS

servers.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 348

AWS Directory Service Administration Guide

Note

To ﬁnd these addresses, go to the AWS Directory Service Directories page, and then

choose the applicable directory ID. On the Details page, identify and use the IPs that

are displayed in DNS address.

Alternatively, to ﬁnd these addresses, go to the AWS Directory Service Directories

page, and choose the applicable directory ID. Then, choose Scale & share. Under

Domain controllers, identify and use the IPs that are displayed in IP address.

• Leave the settings blank for NTP servers, NetBIOS name servers, and NetBIOS node type.

4. Choose Create DHCP options set, and then choose Close. The new set of DHCP options appear

in your list of DHCP options.

Make a note of the ID of the new set of DHCP options (dopt-xxxxxxxx). You use it at the end

of this procedure when you associate the new options set with your VPC.

Note

Seamless domain join works without having to conﬁgure a DHCP Options Set.

6. In the navigation pane, choose Your VPCs.

7. In the list of VPCs, select AWS DS VPC, choose Actions, and then choose Edit DHCP options

set.

8. On the Edit DHCP options set page, select the options set that you recorded in Step 5, and

then choose Save.

Create a role to join Windows instances to your AWS Managed Microsoft AD domain

Use this procedure to conﬁgure a role that joins an Amazon EC2 Windows instance to a domain. For

more information, see Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft

AD Active Directory.

To conﬁgure EC2 to join Windows instances to your domain

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

3. Under Select type of trusted entity, choose AWS service.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 349

AWS Directory Service Administration Guide

4. Immediately under Choose the service that will use this role, choose EC2, and then choose

Next: Permissions.

5. On the Attached permissions policy page, do the following:

• Select the box next to the AmazonSSMManagedInstanceCore managed policy. This policy

provides the minimum permissions necessary to use the Systems Manager service.

• Select the box next to AmazonSSMDirectoryServiceAccess managed policy. The policy

provides the permissions to join instances to an Active Directory managed by AWS Directory

Service.

For information about these managed policies and other policies you can attach to an IAM

instance proﬁle for Systems Manager, see Create an IAM instance proﬁle for Systems Manager

in the AWS Systems Manager User Guide. For information about managed policies, see AWS

Managed policies in the IAM User Guide.

6. Choose Next: Tags.

7. (Optional) Add one or more tag key-value pairs to organize, track, or control access for this

role, and then choose Next: Review.

8. For Role name, enter a name for the role that describes that it is used to join instances to a

domain, such as EC2DomainJoin.

9. (Optional) For Role description, enter a description.

10. Choose Create role. The system returns you to the Roles page.

Create an Amazon EC2 instance and automatically join the directory

In this procedure you set up a Windows Server system in a EC2 instance that can be used later to

administer users, groups, and policies in Active Directory.

To create an EC2 instance and automatically join the directory

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. Choose Launch Instance.

3. On the Step 1 page, next to Microsoft Windows Server 2019 Base -

ami-xxxxxxxxxxxxxxxxx choose Select.

4. On the Step 2 page, select t3.micro (note, you can choose a larger instance type), and then

choose Next: Conﬁgure Instance Details.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 350

AWS Directory Service Administration Guide

5. On the Step 3 page, do the following:

• For Network, choose the VPC that ends with AWS-DS-VPC01 (for example,

vpc-xxxxxxxxxxxxxxxxx | AWS-DS-VPC01).

• For Subnet choose Public subnet 1, which should be preconﬁgured for your preferred

Availability Zone (for example, subnet-xxxxxxxxxxxxxxxxx | AWS-DS-VPC01-Subnet01 |

us-west-2a).

• For Auto-assign Public IP, choose Enable (if the subnet setting is not set to enable by

default).

•

For Domain join directory, choose corp.example.com (d-xxxxxxxxxx).

• For IAM role choose the name you gave your instance role in Create a role to join Windows

instances to your AWS Managed Microsoft AD domain, such as EC2DomainJoin.

• Leave the rest of the settings at their defaults.

• Choose Next: Add Storage.

6. On the Step 4 page, leave the default settings, and then choose Next: Add Tags.

On the Step 5 page, choose Add Tag. Under Key type corp.example.com-mgmt and then

choose Next: Conﬁgure Security Group.

8. On the Step 6 page, choose Select an existing security group, select AWS DS Test Lab

Security Group (which you previously set up in the Base tutorial), and then choose Review and

Launch to review your instance.

9. On the Step 7 page, review the page, and then choose Launch.

10. On the Select an existing key pair or create a new key pair dialog box, do the following:

• Choose Choose an existing key pair.

• Under Select a key pair, choose AWS-DS-KP.

• Select the I acknowledge... check box.

• Choose Launch Instances.

11. Choose View Instances to return to the Amazon EC2 console and view the status of the

deployment.

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 351

AWS Directory Service Administration Guide

Install the Active Directory tools on your EC2 instance

You can choose from two methods to install the Active Directory Domain Management Tools on

your EC2 instance. You can use the Server Manager UI (recommended for this tutorial) or Windows

PowerShell.

To install the Active Directory tools on your EC2 instance (Server Manager)

1. In the Amazon EC2 console, choose Instances, select the instance you just created, and then

choose Connect.

2. In the Connect To Your Instance dialog box, choose Get Password to retrieve your password if

you haven’t already, and then choose Download Remote Desktop File.

3. In the Windows Security dialog box, type your local administrator credentials for the Windows

Server computer to log in (for example, administrator).

4. From the Start menu, choose Server Manager.

5. In the Dashboard, choose Add Roles and Features.

6. In the Add Roles and Features Wizard, choose Next.

7. On the Select installation type page, choose Role-based or feature-based installation, and

then choose Next.

8. On the Select destination server page, make sure that the local server is selected, and then

choose Next.

9. On the Select server roles page, choose Next.

10. On the Select features page, do the following:

• Select the Group Policy Management check box.

• Expand Remote Server Administration Tools, and then expand Role Administration Tools.

• Select the AD DS and AD LDS Tools check box.

• Select the DNS Server Tools check box.

• Choose Next.

11. On the Conﬁrm installation selections page, review the information, and then choose Install.

When the feature installation is ﬁnished, the following new tools or snap-ins will be available

in the Windows Administrative Tools folder in the Start menu.

• Active Directory Administrative Center

• Active Directory Domains and Trusts

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 352

AWS Directory Service Administration Guide

• Active Directory Module for Windows PowerShell

• Active Directory Sites and Services

• Active Directory Users and Computers

• ADSI Edit

• DNS

• Group Policy Management

To install the Active Directory tools on your EC2 instance (Windows PowerShell) (Optional)

1. Start Windows PowerShell.

2. Type the following command.

Install-WindowsFeature -Name GPMC,RSAT-AD-PowerShell,RSAT-AD-AdminCenter,RSAT-ADDS-

Tools,RSAT-DNS-Server

Step 4: Verify that the base test lab is operational

Use the following procedure to verify that the test lab has been set up successfully before

adding on additional test lab guide modules. This procedure veriﬁes that your Windows Server is

conﬁgured appropriately, can connect to the corp.example.com domain, and be used to administer

your AWS Managed Microsoft AD forest.

To verify that the test lab is operational

1. Sign out of the EC2 instance where you were logged in as the local administrator.

2. Back in the Amazon EC2 console, choose Instances in the navigation pane. Then select the

instance that you created. Choose Connect.

3. In the Connect To Your Instance dialog box, choose Download Remote Desktop File.

4. In the Windows Security dialog box, type your administrator credentials for the CORP domain

to log in (for example, corp\admin).

5. Once you are logged in, in the Start menu, under Windows Administrative Tools, choose

Active Directory Users and Computers.

6. You should see corp.example.com displayed with all the default OUs and accounts associated

with a new domain. Under Domain Controllers, notice the names of the domain controllers

Tutorial: Set up your base AWS Managed Microsoft AD test lab Version 1.0 353

AWS Directory Service Administration Guide

that were automatically created when you created your AWS Managed Microsoft AD back in

Step 2 of this tutorial.

Congratulations! Your AWS Managed Microsoft AD base test lab environment has now been

conﬁgured. You are ready to begin adding the next test lab in the series.

Next tutorial: Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active

Directory installation on Amazon EC2

Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-

managed Active Directory installation on Amazon EC2

In this tutorial, you learn how to create a trust between the AWS Directory Service for Microsoft

Active Directory forest that you created in the Base tutorial. You also learn to create a new native

Active Directory forest on a Windows Server in Amazon EC2. As shown in the following illustration,

the lab that you create from this tutorial is the second building block necessary when setting up a

complete AWS Managed Microsoft AD test lab. You can use the test lab to test your pure cloud or

hybrid cloud–based AWS solutions.

You should only need to create this tutorial once. After that you can add optional tutorials when

necessary for more experience.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 354

AWS Directory Service Administration Guide

Step 1: Set up your environment for trusts

Before you can establish trusts between a new Active Directory forest and the AWS Managed

Microsoft AD forest that you created in the Base tutorial, you need to prepare your Amazon EC2

environment. To do that, you ﬁrst create a Windows Server 2019 server, promote that server to

a domain controller, and then conﬁgure your VPC accordingly.

Step 2: Create the trusts

In this step, you create a two-way forest trust relationship between your newly created Active

Directory forest hosted in Amazon EC2 and your AWS Managed Microsoft AD forest in AWS.

Step 3: Verify the trust

Finally, as an administrator, you use the AWS Directory Service console to verify that the new

trusts are operational.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 355

AWS Directory Service Administration Guide

Step 1: Set up your environment for trusts

In this section, you set up your Amazon EC2 environment, deploy your new forest, and prepare your

VPC for trusts with AWS.

Create a Windows Server 2019 EC2 instance

Use the following procedure to create a Windows Server 2019 member server in Amazon EC2.

To create a Windows Server 2019 EC2 instance

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the Amazon EC2 console, choose Launch Instance.

3. On the Step 1 page, locate Microsoft Windows Server 2019 Base -

ami-xxxxxxxxxxxxxxxxx in the list. Then choose Select.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 356

AWS Directory Service Administration Guide

4. On the Step 2 page, select t2.large, and then choose Next: Conﬁgure Instance Details.

5. On the Step 3 page, do the following:

•

For Network, select vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 (which you previously

set up in the Base tutorial).

•

For Subnet, select subnet-xxxxxxxxxxxxxxxxx | AWS-OnPrem-VPC01-Subnet01 | AWS-

OnPrem-VPC01.

• For Auto-assign Public IP list, choose Enable (if the subnet setting is not set to Enable by

default).

• Leave the rest of the settings at their defaults.

• Choose Next: Add Storage.

6. On the Step 4 page, leave the default settings, and then choose Next: Add Tags.

On the Step 5 page, choose Add Tag. Under Key type example.local-DC01, and then

choose Next: Conﬁgure Security Group.

8. On the Step 6 page, choose Select an existing security group, select AWS On-Prem Test Lab

Security Group (which you previously set up in the Base tutorial), and then choose Review and

Launch to review your instance.

9. On the Step 7 page, review the page, and then choose Launch.

10. On the Select an existing key pair or create a new key pair dialog box, do the following:

• Choose Choose an existing key pair.

• Under Select a key pair, choose AWS-DS-KP (which you previously set up in the Base

tutorial).

• Select the I acknowledge... check box.

• Choose Launch Instances.

11. Choose View Instances to return to the Amazon EC2 console and view the status of the

deployment.

Promote your server to a domain controller

Before you can create trusts, you must build and deploy the ﬁrst domain controller for a new

forest. During this process you conﬁgure a new Active Directory forest, install DNS, and set this

server to use the local DNS server for name resolution. You must reboot the server at the end of

this procedure.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 357

AWS Directory Service Administration Guide

Note

If you want to create a domain controller in AWS that replicates with your on-premises

network, you would ﬁrst manually join the EC2 instance to your on-premises domain. After

that you can promote the server to a domain controller.

To promote your server to a domain controller

1. In the Amazon EC2 console, choose Instances, select the instance you just created, and then

choose Connect.

2. In the Connect To Your Instance dialog box, choose Download Remote Desktop File.

3. In the Windows Security dialog box, type your local administrator credentials for the Windows

Server computer to login (for example, administrator). If you do not yet have the local

administrator password, go back to the Amazon EC2 console, right-click on the instance, and

choose Get Windows Password. Navigate to your AWS DS KP.pem ﬁle or your personal .pem

key, and then choose Decrypt Password.

4. From the Start menu, choose Server Manager.

5. In the Dashboard, choose Add Roles and Features.

6. In the Add Roles and Features Wizard, choose Next.

7. On the Select installation type page, choose Role-based or feature-based installation, and

then choose Next.

8. On the Select destination server page, make sure that the local server is selected, and then

choose Next.

9. On the Select server roles page, select Active Directory Domain Services. In the Add Roles

and Features Wizard dialog box, verify that the Include management tools (if applicable)

check box is selected. Choose Add Features, and then choose Next.

10. On the Select features page, choose Next.

11. On the Active Directory Domain Services page, choose Next.

12. On the Conﬁrm installation selections page, choose Install.

13. Once the Active Directory binaries are installed, choose Close.

14. When Server Manager opens, look for a ﬂag at the top next to the word Manage. When this

ﬂag turns yellow, the server is ready to be promoted.

15. Choose the yellow ﬂag, and then choose Promote this server to a domain controller.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 358

AWS Directory Service Administration Guide

16. On the Deployment Conﬁguration page, choose Add a new forest. In Root domain name,

type example.local, and then choose Next.

17. On the Domain Controller Options page, do the following:

• In both Forest functional level and Domain functional level, choose Windows Server 2016.

• Under Specify domain controller capabilities, verify that both DNS server and Global

Catalog (GC) are selected.

• Type and then conﬁrm a Directory Services Restore Mode (DSRM) password. Then choose

Next.

18. On the DNS Options page, ignore the warning about delegation and choose Next.

19. On the Additional options page, make sure that EXAMPLE is listed as the NetBios domain

name.

20. On the Paths page, leave the defaults, and then choose Next.

21. On Review Options page, choose Next. The server now checks to make sure all the

prerequisites for the domain controller are satisﬁed. You may see some warnings displayed,

but you can safely ignore them.

22. Choose Install. Once the installation is complete, the server reboots and then becomes a

functional domain controller.

Conﬁgure your VPC

The following three procedures guide you through the steps to conﬁgure your VPC for connectivity

with AWS.

To conﬁgure your VPC outbound rules

1. In the AWS Directory Service console, make a note of the AWS Managed Microsoft AD

directory ID for corp.example.com that you previously created in the Base tutorial.

2. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

3. In the navigation pane, choose Security Groups.

4. Search for your AWS Managed Microsoft AD directory ID. In the search results, select the item

with the description AWS created security group for d-xxxxxx directory controllers.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 359

AWS Directory Service Administration Guide

Note

This security group was automatically created when you initially created your directory.

5. Choose the Outbound Rules tab under that security group. Choose Edit, choose Add another

rule, and then add the following values:

• For Type, choose All Traﬃc.

•

For Destination, type 0.0.0.0/0.

• Leave the rest of the settings at their defaults.

• Select Save.

To verify kerberos preauthentication is enabled

1. On the example.local domain controller, open Server Manager.

2. On the Tools menu, choose Active Directory Users and Computers.

3. Navigate to the Users directory, right-click on any user and select Properties, and then choose

the Account tab. In the Account options list, scroll down and ensure that Do not require

Kerberos preauthentication is not selected.

4. Perform the same steps for the corp.example.com domain from the corp.example.com-

mgmt instance.

To conﬁgure DNS conditional forwarders

Note

A conditional forwarder is a DNS server on a network that is used to forward DNS

queries according to the DNS domain name in the query. For example, a DNS server

can be conﬁgured to forward all the queries it receives for names ending with

widgets.example.com to the IP address of a speciﬁc DNS server or to the IP addresses of

multiple DNS servers.

1. Open the AWS Directory Service console.

2. In the navigation pane, choose Directories.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 360

AWS Directory Service Administration Guide

3. Select the directory ID of your AWS Managed Microsoft AD.

4. Take note of the fully qualiﬁed domain name (FQDN), corp.example.com, and the DNS

addresses of your directory.

5. Now, return to your example.local domain controller, and then open Server Manager.

6. On the Tools menu, choose DNS.

7. In the console tree, expand the DNS server of the domain for which you are setting up the

trust, and navigate to Conditional Forwarders.

8. Right-click Conditional Forwarders, and then choose New Conditional Forwarder.

In DNS domain, type corp.example.com.

10. Under IP addresses of the primary servers, choose <Click here to add ...>, type the ﬁrst DNS

address of your AWS Managed Microsoft AD directory (which you made note of in the previous

procedure), and then press Enter. Do the same for the second DNS address. After typing the

DNS addresses, you might get a "timeout" or "unable to resolve" error. You can generally

ignore these errors.

11. Select the Store this conditional forwarder in Active Directory, and replicate as follows

check box. In the drop-down menu, choose All DNS servers in this Forest, and then choose

OK.

Step 2: Create the trusts

In this section, you create two separate forest trusts. One trust is created from the Active Directory

domain on your EC2 instance and the other from your AWS Managed Microsoft AD in AWS.

To create the trust from your EC2 domain to your AWS Managed Microsoft AD

1. Log into example.local.

2. Open Server Manager and in the console tree choose DNS. Take note of the IPv4 address

listed for the server. You will need this in the next procedure when you create a conditional

forwarder from corp.example.com to the example.local directory.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 361

AWS Directory Service Administration Guide

3. In the Tools menu, choose Active Directory Domains and Trusts.

4. In the console tree, right-click example.local and then choose Properties.

5. On the Trusts tab, choose New Trust, and then choose Next.

On the Trust Name page, type corp.example.com, and then choose Next.

7. On the Trust Type page, choose Forest trust, and then choose Next.

Note

AWS Managed Microsoft AD also supports external trusts. However, for the purposes of

this tutorial, you will create a two-way forest trust.

8. On the Direction of Trust page, choose Two-way, and then choose Next.

Note

If you decide later to try this with a one-way trust instead, ensure that the trust

directions are setup correctly (Outgoing on trusting domain, Incoming on trusted

domain). For general information, see Understanding trust direction on Microsoft's

website.

9. On the Sides of Trust page, choose This domain only, and then choose Next.

10. On the Outgoing Trust Authentication Level page, choose Forest-wide authentication, and

then choose Next.

Note

Although Selective authentication in an option, for the simplicity of this tutorial we

recommend that you do not enable it here. When conﬁgured it restricts access over an

external or forest trust to only those users in a trusted domain or forest who have been

explicitly given authentication permissions to computer objects (resource computers)

residing in the trusting domain or forest. For more information, see Conﬁguring

selective authentication settings.

11. On the Trust Password page, type the trust password twice, and then choose Next. You will

use this same password in the next procedure.

12. On the Trust Selections Complete page, review the results, and then choose Next.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 362

AWS Directory Service Administration Guide

13. On the Trust Creation Complete page, review the results, and then choose Next.

14. On the Conﬁrm Outgoing Trust page, choose No, do not conﬁrm the outgoing trust. Then

choose Next

15. On the Conﬁrm Incoming Trust page, choose No, do not conﬁrm the incoming trust. Then

choose Next

16. On the Completing the New Trust Wizard page, choose Finish.

Note

Trust relationships is a global feature of AWS Managed Microsoft AD. If you are using

Conﬁgure Multi-Region replication for AWS Managed Microsoft AD, the following

procedures must be performed in the Primary Region. The changes will be applied across

all replicated Regions automatically. For more information, see Global vs Regional features.

To create the trust from your AWS Managed Microsoft AD to your EC2 domain

1. Open the AWS Directory Service console.

2. Choose the corp.example.com directory.

3. On the Directory details page, do one of the following:

• If you have multiple Regions showing under Multi-Region replication, select the primary

Region, and then choose the Networking & security tab. For more information, see Primary

vs additional Regions.

• If you do not have any Regions showing under Multi-Region replication, choose the

Networking & security tab.

4. In the Trust relationships section, choose Actions, and then select Add trust relationship.

5. In the Add a trust relationship dialog box, do the following:

• Under Trust type select Forest trust.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 363

AWS Directory Service Administration Guide

Note

Make sure that the Trust type you choose here matches the same trust type

conﬁgured in the previous procedure (To create the trust from your EC2 domain to

your AWS Managed Microsoft AD).

• For Existing or new remote domain name, type example.local.

• For Trust password, type the same password that you provided in the previous procedure.

• Under Trust direction, select Two-Way.

Note

• If you decide later to try this with a one-way trust instead, ensure that the trust

directions are setup correctly (Outgoing on trusting domain, Incoming on trusted

domain). For general information, see Understanding trust direction on Microsoft's

website.

• Although Selective authentication in an option, for the simplicity of this tutorial

we recommend that you do not enable it here. When conﬁgured it restricts

access over an external or forest trust to only those users in a trusted domain or

forest who have been explicitly given authentication permissions to computer

objects (resource computers) residing in the trusting domain or forest. For more

information, see Conﬁguring selective authentication settings.

• For Conditional forwarder, type the IP address of your DNS server in the example.local

forest (which you noted in the previous procedure).

Note

A conditional forwarder is a DNS server on a network that is used to forward DNS

queries according to the DNS domain name in the query. For example, a DNS

server can be conﬁgured to forward all the queries it receives for names ending

with widgets.example.com to the IP address of a speciﬁc DNS server or to the IP

addresses of multiple DNS servers.

6. Choose Add.

Tutorial: Create a trust from AWS Managed Microsoft AD to a self-managed AD install on EC2 Version 1.0 364

AWS Directory Service Administration Guide

Step 3: Verify the trust

In this section, you test whether the trusts were set up successfully between AWS and Active

Directory on Amazon EC2.

To verify the trust

1. Open the AWS Directory Service console.

2. Choose the corp.example.com directory.

3. On the Directory details page, do one of the following:

• If you have multiple Regions showing under Multi-Region replication, select the primary

Region, and then choose the Networking & security tab. For more information, see Primary

vs additional Regions.

• If you do not have any Regions showing under Multi-Region replication, choose the

Networking & security tab.

4. In the Trust relationships section, select the trust relationship you just created.

5. Choose Actions, and then choose Verify trust relationship.

Once the veriﬁcation has completed, you should see Veriﬁed displayed under the Status column.

Congratulations on completing this tutorial! You now have a fully functional multiforest Active

Directory environment from which you can begin testing various scenarios. Additional test lab

tutorials are planned in 2018, so check back on occasion to see what's new.

AWS Managed Microsoft AD quotas

The following are the default quotas for AWS Managed Microsoft AD. Each quota is per Region

unless otherwise noted.

AWS Managed Microsoft AD quotas

Resource Default quota

AWS Managed Microsoft AD directories 20

Manual snapshots * 5 per AWS Managed Microsoft AD

Quotas Version 1.0 365

AWS Directory Service Administration Guide

Resource Default quota

Manual snapshots age ** 180 days

Maximum number of domain controllers per

Directory

You can launch and join an Amazon EC2 Windows instance to a Simple AD. Alternatively, you can

manually join an existing EC2 Windows instance to a Simple AD

Seamlessly join a Windows Amazon EC2

1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://

console.aws.amazon.com/ec2/.

2. In the navigation bar, choose the same AWS Region as the existing directory.

3. On the EC2 Dashboard, in the Launch instance section, choose Launch instance.

4. On the Launch an instance page, under the Name and Tags section, enter the name you

would like to use for your Windows EC2 instance.

5. (Optional) Choose Add additional tags to add one or more tag key-value pairs to organize,

track, or control access for this EC2 instance.

6. In the Application and OS Image (Amazon Machine Image) section, choose Windows in

the Quick Start pane. You can change the Windows Amazon Machine Image (AMI) from the

Amazon Machine Image (AMI) dropdown list.

7. In the Instance type section, choose the instance type you would like to use from Instance

type dropdown list.

8. In the Key pair (login) section, you can either choose to create a new key pair or choose

from an existing key pair.

a. To create a new key pair, choose Create new key pair.

b. Enter a name for the key pair and select an option for the Key pair type and Private

key ﬁle format.

c. To save the private key in a format that can be used with OpenSSH, choose .pem. To

save the private key in a format that can be used with PuTTY, choose .ppk.

d. Choose create key pair.

e. The private key ﬁle is automatically downloaded by your browser. Save the private key

ﬁle in a safe place.

Joining a Windows instance Version 1.0 489

AWS Directory Service Administration Guide

Important

This is the only chance for you to save the private key ﬁle.

9. On the Launch an instance page, under Network settings section, choose Edit. Choose the

VPC that your directory was created in from the VPC - required dropdown list.

10. Choose one of the public subnets in your VPC from the Subnet dropdown list. The subnet

you choose must have all external traﬃc routed to an internet gateway. If this is not the

case, you won't be able to connect to the instance remotely.

For more information on how to connect to a internet gateway, see Connect to the internet

using an internet gateway in the Amazon VPC User Guide.

11. Under Auto-assign public IP, choose Enable.

For more information about public and private IP addressing, see Amazon EC2 instance IP

addressing in the Amazon EC2 User Guide.

12. For Firewall (security groups) settings, you can use the default settings or make changes

to meet your needs.

13. For Conﬁgure storage settings, you can use the default settings or make changes to meet

your needs.

14. Select Advanced details section, choose your domain from the Domain join directory

dropdown list.

Note

After choosing the Domain join directory, you may see:

This error occurs if the EC2 launch wizard identiﬁes an existing SSM document with

unexpected properties. You can do one of the following:

• If you previously edited the SSM document and the properties are expected,

choose close and proceed to launch the EC2 instance with no changes.

Joining a Windows instance Version 1.0 490