After you created your AWS Managed Microsoft AD service and your EC2 instance(s), you must join the configured Amazon Elastic Compute Cloud (EC2) instance(s) to AWS Managed Microsoft AD.
Complete the procedure in Amazon Web Services (AWS) as described in Join an EC2 instance to your AWS Managed Microsoft AD directory in the AWS Directory Service documentation.
NOTE: Consider the following when joining the EC2 instance(s) to AWS Managed Microsoft AD:
TIP: If the domain join process ends with an error, check the specified DNS addresses and Domain Admin credentials in the AWS console.
If you manage AWS Managed Microsoft AD with Active Roles in Amazon Web Services (AWS), you must store the Active Roles Management History and Configuration databases in an Amazon Relational Database Service (RDS) instance.
Confiogure the RDS instance in AWS as described in Setting up for Amazon RDS in the Amazon RDS documentation.
NOTE: Consider the following when creating the EC2 instance:
-
Make sure that the connectivity requirements listed in Deployment requirements for AWS Managed Microsoft AD support are met.
-
Select the SQL Server edition that suits your needs the most. For most Active Roles use cases, SQL Server Standard Edition is an optimal choice.
-
Take note of the Master username and Master password, as these credentials will be required later.
-
For Storage type, select General Purpose SSD (gp2), and allocate a minimum storage of 60 GiB.
-
Consider selecting Enable storage autoscaling. Selecting this setting is useful if the SQL Server is utilized with a heavy load most of the time. However, it may incur additional operational costs.
After you created the RDS instance, you can test in the EC2 instance with the telnet client or Microsoft SQL Server Management Studio (SSMS) if the RDS connectivity was successfully configured.
To verify RDS connectivity in the EC2 instance
-
Log in to the EC2 instance created for Active Roles.
-
To test connectivity to RDS, install the telnet client. To do so:
-
Open Windows Server Manager.
-
On the Dashboard, click Add roles and features.
-
In the Installation Type step, select Role-based or feature-based installation, then click Next.
-
In the Server Selection step, choose Select a server from the server pool, and make sure that the local server (the EC2 instance) is selected.
-
In the Server Roles step, just click Next.
-
In the Features step, select Telnet Client.
-
In the Confirmation screen, click Install, then Close the application.
-
To verify connectivity to the RDS instance, open the Windows Command Prompt, and run the following command:
telnet <rds-server-endpoint> <port-number>
To find the RDS server endpoint and port to specify, open the entry of the RDS instance in the AWS console, and check the values under Connectivity & Security > Endpoint & port.
NOTE: If the command returns an empty prompt, that indicates connectivity between the EC2 instance and the RDS instance.
-
Download and install Microsoft SQL Server Management Studio (SSMS) on the EC2 instance.
-
To test the connection with SSMS, start the application, then in the Connect to Server dialog, specify the following attributes:
-
Server type: Select Database Engine.
-
Server name: The same RDS instance endpoint used in the telnet command.
-
Authentication: Select SQL Server Authentication, then specify the admin user name and password created when configuring the RDS instance.
-
After you specified all connection properties, click Connect.
After you checked the connectivity between the EC2 and RDS instances, you can deploy and configure Active Roles on the EC2 instance.
Prerequisites
Before starting the procedure, make sure that the following requirements are met:
To install Active Roles on the EC2 instance
-
Download the Active Roles installation media to the EC2 instance.
-
Run the setup and install Active Roles with all required prerequisites as described in Active Roles installation in the Active Roles Quick Start Guide.
After installing Active Roles, configure the Active Roles Administration Service.
To configure Active Roles Administration Service for managing AWS Managed Microsoft AD in SQL Server Management Studio
-
Start Microsoft SQL Server Management Studio (SSMS), and connect to your the RDS for SQL Server instance as described in Verifying connectivity between the EC2 and RDS instances.
-
With SSMS, under the Databases node of the Object Explorer, create two new empty databases to be used later for configuring Active Roles:
-
A database for the Management History database (name it, for example, ARMH).
-
A database for the Active Roles Configuration database (name it, for example, ARConfig).
-
Still in SSMS, create a new user that Active Roles will use to connect to the SQL database in the RDS instance. To do so, right-click the Security > Logins node of the Object Explorer, then select New login and specify the following details:
-
Under General > Login name, specify the name of the user (for example, sql-activeroles). Then, select SQL Server authentication.
-
Under User Mapping, select the databases that you created previously (in this example, ARMH and ARConfig), and assign the db_owner role to both of them.
To configure Active Roles Administration Service for managing AWS Managed Microsoft AD in Active Roles Configuration Center
-
Start the Active Roles Configuration Center.
-
On the Dashboard, under Administration Service, click Configure.
-
In the Service Account step, specify the user name and password of the Active Roles Service account. This could be, for example, the domain admin account supplied by Amazon Web Services (AWS).
-
In the Active Roles Admin step, specify the security group or administrator user in the EC2 instance who will hold Active Roles Admin permissions.
-
In the Configuration Database Options step, select New Active Roles database and Use a pre-created blank database.
-
In the Connection to Configuration Database step, configure the following settings:
-
Database type: Select On Premise. In the context of Active Roles, the Amazon RDS for SQL Server instance behaves like an on-premises SQL Server.
-
Database Server name: Specify the endpoint URL of the RDS instance. This is the same endpoint you specified during Verifying connectivity between the EC2 and RDS instances.
-
Database name: Specify the name of the blank database that you created for use as the Active Roles Configuration database (in this example, ARConfig).
-
Connect using: Select SQL Server authentication, and specify the user name and password of the user created as the owner of the database.
-
In the Management History Database Options step, select New Active Roles database and Use a pre-created blank database.
-
In the Connection to Management History Database step, specify the same Database type, Database Server name and connection settings that you did for the Configuration database. However, for Database name, specify the name of the blank database that you created for use as the Active Roles Management History database (in this example, ARMH).
-
In the Encryption Key Backup step, specify the file name and save location of the Active Roles database encryption key.
-
(Optional) Still in Encryption Key Backup, specify a password for additional protection. To continue, click Next.
-
Review your settings, then apply your changes by clicking Configure.
After you configured the Active Roles Administration Service, you can also configure the Active Roles Console to manage your AWS Managed Microsoft AD instance.
To configure Active Roles Console for managing AWS Managed Microsoft AD
-
Start the Active Roles Console.
-
Due to limitations with Service Connection Points (SCPs) in the Amazon cloud, Active Roles Console is likely unable to automatically discover the Administration Service instance you configured previously.
To manually connect to the Administration Service, in the Connect to Administration Service dialog, under Service, specify localhost. Under Connect as, select Current user, then click Connect.
NOTE: If you cannot connect to the Administration Service by specifying localhost, then specify the full Device name as indicated in the Settings > About page of the operating system.
-
After you connected, in the Active Roles Console landing page, click Add Domain.
-
In the Add Managed Domain Wizard, in Domain Selection, click Browse and select the domain configured by AWS for the EC2 instance.
-
In the Active Roles Credentials step, select The service account information the Administration Service uses to log on.
-
To finish adding the domain, click Next, then Finish.
-
To make sure that the contents of the AWS Managed Microsoft AD domain appear in the Active Roles Console, click Refresh or right-click the Active Roles node, then click Reconnect.
NOTE: The connected AWS Managed Microsoft AD environment will contain several built-in and AWS-specific containers with read-only access. You can create and manage AD objects only in the Organizational Unit whose name matches the shortname of the connected domain's name (specified during Creating the AWS Managed Microsoft AD instance).