After you created your AWS Managed Microsoft AD service and your EC2 instance(s), you must join the configured Amazon Elastic Compute Cloud (EC2) instance(s) to AWS Managed Microsoft AD.
Complete the procedure in Amazon Web Services (AWS) as described in Join an EC2 instance to your AWS Managed Microsoft AD directory in the AWS Directory Service documentation.
NOTE: Consider the following when joining the EC2 instance(s) to AWS Managed Microsoft AD:
TIP: If the domain join process ends with an error, check the specified DNS addresses and Domain Admin credentials in the AWS console.
If you manage AWS Managed Microsoft AD with Active Roles in Amazon Web Services (AWS), you must store the Active Roles Management History and Configuration databases in an Amazon Relational Database Service (RDS) instance.
Configure the RDS instance in AWS as described in Setting up for Amazon RDS in the Amazon RDS documentation.
NOTE: Consider the following when creating the EC2 instance:
-
Make sure that the connectivity requirements listed in Deployment requirements for AWS Managed Microsoft AD support are met.
-
Select the SQL Server edition that suits your needs the most. For most Active Roles use cases, SQL Server Standard Edition is an optimal choice.
-
Take note of the Master username and Master password, as these credentials will be required later.
-
For Storage type, select General Purpose SSD (gp2), and allocate a minimum storage of 60 GiB.
-
Consider selecting Enable storage autoscaling. Selecting this setting is useful if the SQL Server is utilized with a heavy load most of the time, but it might incur additional operational costs.
-
For Certificate authority, select the rds-ca-2019 certificate, as it is required for Microsoft OLE DB Driver 19 for SQL Server to function properly.
After you created the RDS instance, you can test in the EC2 instance with the telnet client or Microsoft SQL Server Management Studio (SSMS) if the RDS connectivity was successfully configured.
To verify RDS connectivity in the EC2 instance
-
Log in to the EC2 instance created for Active Roles.
-
To test connectivity to RDS, install the telnet client. To do so:
-
Open Windows Server Manager.
-
On the Dashboard, click Add roles and features.
-
In Installation Type, select Role-based or feature-based installation, then click Next.
-
In Server Selection, choose Select a server from the server pool, and make sure that the local server (the EC2 instance) is selected.
-
In Server Roles, just click Next.
-
In Features, select Telnet Client.
-
In Confirmation, click Install, then Close the application.
-
To verify connectivity to the RDS instance, open the Windows Command Prompt, and run the following command:
telnet <rds-server-endpoint> <port-number>
To find the RDS server endpoint and port to specify, open the entry of the RDS instance in the AWS console, and check the values under Connectivity & Security > Endpoint & port.
NOTE: If the command returns an empty prompt, that indicates connectivity between the EC2 instance and the RDS instance.
-
Download and install Microsoft SQL Server Management Studio (SSMS) on the EC2 instance.
-
To test the connection with SSMS, start the application, then in the Connect to Server dialog, specify the following attributes:
-
Server type: Select Database Engine.
-
Server name: The same RDS instance endpoint used in the telnet command.
-
Authentication: Select SQL Server Authentication, then specify the admin user name and password created when configuring the RDS instance.
-
After you specified all connection properties, click Connect.
After you checked the connectivity between the EC2 and RDS instances, you can deploy and configure Active Roles on the EC2 instance.
Prerequisites
Before starting the procedure, make sure that the following requirements are met:
To install Active Roles on the EC2 instance
-
Download the Active Roles installation media to the EC2 instance.
-
Run the setup and install Active Roles with all required prerequisites as described in Installing Active Roles in the Active Roles Installation Guide.
NOTE: Starting from Active Roles 8.2, make sure that you install Microsoft OLE DB Driver 19 for SQL Server and all its prerequisites from the Redistributables folder of the installation media.
Also, to make sure that the connection to the SQL Server is properly encrypted, download and install the latest AWS RDS Root Certificate by adding it to the Trusted Root Certification Authorities container of the certmgr (Manage User Certificates) utility. For more information, see Using SSL/TLS to encrypt a connection to a DB instance in the Amazon RDS documentation.
After installing Active Roles, configure the Active Roles Administration Service.
To configure Active Roles Administration Service for managing AWS Managed Microsoft AD in SQL Server Management Studio
-
Start Microsoft SQL Server Management Studio (SSMS) and connect to the RDS for SQL Server instance as described in Verifying connectivity between the EC2 and RDS instances.
-
Under the Databases node of the Object Explorer, create two new empty databases to be used later for configuring Active Roles:
-
A database for the Management History database. Name it, for example, ARMH.
-
A database for the Active Roles Configuration database. Name it, for example, ARConfig.
-
Create a new user that Active Roles will use to connect to the SQL database in the RDS instance. To do so, right-click the Security > Logins node of the Object Explorer, then select New login and specify the following details:
-
Under General > Login name, enter the name of the user (for example, sql-activeroles). Then, select SQL Server authentication.
-
Under User Mapping, select the databases that you created (in this example, ARMH and ARConfig), and assign the db_owner role to both of them.
To configure Active Roles Administration Service for managing AWS Managed Microsoft AD in Active Roles Configuration Center
-
Start the Active Roles Configuration Center.
-
On the Dashboard, under Administration Service, click Configure.
-
In Service Account, enter the user name and password of the Active Roles Service account. This can be, for example, the domain admin account supplied by Amazon Web Services (AWS).
-
In Active Roles Admin, specify the security group or administrator user in the EC2 instance who will hold Active Roles Admin permissions.
-
In Configuration Database Options, select New Active Roles database and Use a pre-created blank database.
-
In Connection to Configuration Database, configure the following settings:
-
Database type: Select On Premise. In the context of Active Roles, the Amazon RDS for SQL Server instance functions like an on-premises SQL Server.
-
Database Server name: Specify the endpoint URL of the RDS instance. This is the same endpoint you specified during Verifying connectivity between the EC2 and RDS instances.
-
Database name: Specify the name of the blank database that you created as the Active Roles Configuration database (in this example, ARConfig).
-
Connect using: Select SQL Server authentication, and enter the user name and password of the user created as the owner of the database.
-
In Management History Database Options, select New Active Roles database and Use a pre-created blank database.
-
In Connection to Management History Database, specify the same Database type, Database Server name and connection settings that you set for the Configuration database. However, for Database name, enter the name of the blank database that you created for use as the Active Roles Management History database (in this example, ARMH).
-
In Encryption Key Backup, specify the file name and save location of the Active Roles database encryption key.
-
(Optional) Still in Encryption Key Backup, specify a password for additional protection. To continue, click Next.
-
Review your settings. Then, to apply your changes, click Configure.
After you configured the Active Roles Administration Service, you can also configure the Active Roles Console to manage your AWS Managed Microsoft AD instance.
To configure Active Roles Console for managing AWS Managed Microsoft AD
-
Start the Active Roles Console.
-
Due to limitations with Service Connection Points (SCPs) in the Amazon cloud, Active Roles Console is likely unable to automatically discover the Administration Service instance you configured previously.
To manually connect to the Administration Service, in the Connect to Administration Service dialog, under Service, specify localhost. Under Connect as, select Current user, then click Connect.
NOTE: If you cannot connect to the Administration Service by specifying localhost, then specify the full Device name as indicated in the Settings > About page of the operating system.
-
After you connected, in the Active Roles Console landing page, click Add Domain.
-
In the Add Managed Domain Wizard, in Domain Selection, click Browse and select the domain configured by AWS for the EC2 instance.
-
In Active Roles Credentials, select The service account information the Administration Service uses to log on.
-
To finish adding the domain, click Next, then Finish.
-
To make sure that the contents of the AWS Managed Microsoft AD domain appear in the Active Roles Console, click Refresh or right-click the Active Roles node, then click Reconnect.
NOTE: The connected AWS Managed Microsoft AD environment will contain several built-in and AWS-specific containers with read-only access. You can create and manage AD objects only in the Organizational Unit whose name matches the shortname of the connected domain's name (specified during Creating the AWS Managed Microsoft AD instance).