In this post I’ll show you how to configure AD Connector, so you can use your on-prem AD users to log to the AWS Console. AD Connector can be used for other things as well. See the following link for use cases. From the AWS documentation:
Before we begin, make sure that you have everything in place. Check the prerequisites from the following link. There are quite conditions that you have to meet.
The flow looks like this.
Also, I’ve followed this AWS link to complete my AD Connector setup.
Fire up the AD Users and Computers program on your computer on-prem and create a new AD group. It has to be Global and a Security group. Once created, right-click on your domain name on top and choose Delegate Control. Type the name of the group that you’ve just created and then on the Tasks to Delegate page select Create a custom task to delegate. Click on Only the following objects in the folder, and then select Computer objects and User objects. Click on Create selected objects in this folder and Delete selected objects in this folder at the bottom.
Click Next and on the following screen, click on General and Property Specific check marks and then click on Read and Write.
Review the changes and click Finish.
Now, create a user and add that user to the AD group that you’ve just created. This user will be responsible for the connection between the AD Connector and your on-prem AD. Make sure your user’s password does not expire.
You will have to verify the connection between AWS and your on-prem. AWS documentation recommends that you build or use an existing Windows server, but you can also use some other OS to test the ports. All you have to do is to check if the following ports are open:
- TCP: 53,88,135,389,445,3268,5722,938
- UDP: 53,88,123,138,389,445
In my case, I had an existing Windows server that I had to join it to the domain. Then, I had to download a small program from this link. Unzip the archive and execute the .EXE file as the following command.
DirectoryServicePortTest.exe -d <domain_name> -ip <server_IP_address> -tcp "53,88,135,389,445,3268,5722,9389" -udp "53,88,123,138,389,445"
Replace your domain_name with your FQDN e.g. in my case it’s andreev.local and the server_IP_address with an IP of one of your domain controllers. This is the output of my test.
Make sure all ports show as PASSED. In my case, port 5722 (RPC, DFSR (SYSVOL)) shows as failed, but that’s OK as long as your domain controller is 2012 and up.
AWS AD Connector
Go to your AWS console and look for Directory Services. Once there, scroll all the way to the bottom where you can see AD Connector. Do not use Microsoft AD, that’s something different.
When you create the connector, you’ll have to enter these values.
In my case, my domain is andreev.local with NetBIOS name ANDREEV. The AD user that we created before and added it to that AWS AD group is called adconnector. Enter the IPs of the two domain controllers and choose the size (Small/Large).
Finally, choose the VPC and two subnets in different availability zones (AZ). The default worked fine for me.
Click Next, review and click on Create. Wait for about 10 mins until the status turns from Pending to Active. The price of small AD Connector is about $288 a month which is quite expensive for me, so I’ve deleted the connector right after I finished my lab.
This is how it will look like after 10 mins and if everything is OK.
AWS Console use case
As I said earlier, AD Connector can be use for many cases, but I’ll demonstrate the AWS Console access only and how to join a server to the domain. Click on the AD Connector ID and you’ll see this.
All the way at the bottom, click on AWS Management Console and enable access. You’ll be prompted to enter an URL so that’s how you will access your AWS console. In my case, I chose andreev.awsapps.com. If you click on the AWS Management Console link again, it will prompt you to select a Role and assign some users.
Most likely, you don’t have any roles or AD users ready, so go ahead and create a new AD user or AD group that will have access to Glacier only. Then, open a new tab in your browser and log to your AWS console and go to IAM. Create a new Role. Choose Directory Services as shown.
On the next screen, type glacier and select the first policy (AmazonGlacierFullAccess).
Name the role and click Create.
Go back to the other tab with the AD Connector and click Refresh on the right so the new role shows up.
Click on the newly created role, then click Add when this screen shows up.
Start typing the AD user or group that you just created for Glacier access and click Add.
Now, you can open a new tab in your browser, go to your new AWS console access URL (e.g. andreev.awsapps.com/console) and log with your AD credentials. No need to type your domain name. Just use your AD account and password.
Another useful case that you already have by configuring AD Connector is that when you provision a new Windows instance, you can automatically join it to the domain. Just select the domain name when it prompts for the other settings.