Skip to main content

Install Active directory and federate with AWS account


Active Directory and Federated user creation

Requirement:

Create users in Active Directory and provide selective access to AWS services.

Solution:

  1. Create EC2 Windows machine (OS version 2008/2012/2016)
  2. Configure AD in windows machine
  3. Configure DNS Server
  4. Configure PTR record in DNS
  5. Create test users in AD
  6. Reset the Administrator user password in AD
  7. Create Directory service in IAM
  8. Create role and policy in Directory Service and establish trust.
  9. Create AWS Domain/console URL to access from federated user
  10. Enable management console access to Domain URL. 
  11. Add users in Directory service
  12. Test the access for federated users

Detailed steps:


Create AD and create users in AD. Should be able to login to AWS Console with selective access.
1.       Launch a Windows 2012 R2 instance in custom VPC and subnet.
a.       Create the VPC with CIDR range 10.0.0.0/16
b.       Create two public subnet with CIDR range 10.0.1.0/24 and 10.0.2.0/24
c.       Create Internet Gateway and attach to VPC.
d.       Add a route in Route table and target to IGW.
e.       Launch a Windows 2012 R2 EC2 instance with Public IP enabled.
    2.       Assign the IP address in Preferred DNS Server
a.       Login to EC2 and launch Network connections by issuing ncpa.cpl in run prompt.
b.       Right-click on Ethernet and select Properties
c.       Disable IPv6 and click on IPv4 then properties
d.       Launch the command prompt and note the IP address of EC2 machine.
e.       Select the radio button “Use the following DNS Server addresses” and enter the EC2 instance IP address in Preferred DNS Server then click on OK button.

     3.       Install Active Directory in the EC2 instance.
a.       Launch the Server Manager by issuing server manager in run prompt.
b.       Click on Add roles and features link in Server Manager dashboard and click on Next button
c.       Select  Role-based or feature-base installation and click on Next
d.       Select radio button Select a Server from the server pool and click on Next
e.       Select check box beside Active Directory Domain Services
f.       Click on the Add Features in the pop up
g.       Observe that Install Success message and click on Close button

h.       Click on notification icon on the top right and Click on Promote This server to a domain controller link


i.       Select radio button beside Add a new forest and Enter the Root domain name

j.       Enter DSRM password and Confirm password and click on Next 
Note: This password is used to restore the Active Directory in case AD is corrupted.
      k.Click on Next in DNS Option screen and Addition Option screen a.        




 l.       Ignore the warnings and click on Install


Note: the server will be rebooted automatically. Wait for 5 min and reconnect to the server.
       4.    Repeat the steps listed in Step 2 to reassign the Preferred DNS Server.
       5.    Configure DNS Server.

a.       Launch the Server Manager by issuing server manager in run prompt. 
                        
b.       Click on Tools from the top right and click on DNS.

c.     Expand server and Select Reverse Lookup Zones, Right click and click on New Zone.







d.       Enter first three digits of IP address in Network ID

e.       Select the ration button beside Allow both nonsecure and Secure dynamic updates.

f.       Click on Finish

       6.    Add new PTR.

a.       Expand Reverse Lookup Zones and right-click on Zone just created then click on New Pointer(PTR)..
b.       In New Resource Record, Browse and select windows host.
c.       Click on OK
d.       Launch the Power shell and execute nslookup to verify hostname will resolve into new domain created

       7.       Add new test users in AD.
a.       Select Active Directory Users and Computers from the Tools in top right corner.
b.       Expand Aws4dummes à Users à New à Users
c.       Create users
d.       Set the password for the users also select check box beside Password never expires
e.       Click on Finish
                f.       Reset the password for Administrator user

       8.      Create Directory Services.
a.       Login to AWS console, Navigate to Services à Directory Services
b.       Click on Create Directory
c.       Select AD Connector in and click on Next
d.       Select the Directory Size info as per requirement.
e.       Select the VPC and select the subnets created in the VPC.
f.        Enter the DNS name and DNS IP address
g.       Review the details and Click on Create Directory
h.         It will take approx 5-10 min for this step to complete and status to turn Active if all the configuration is correct.

       9.       Create IAM Role and Policy in Directory Service.
a.       Navigate to Services à IAM à Roles à Create Roles
b.       Choose Directory Service and click on Next: Permission button
c.       Search EC2 and select AmazonEC2FullAccess
d.       Enter the Role Name of your choice and click on Create Role
e.       Navigate to Services à Directory Services and ensure custom Role created is listed in Delegate Console Access section

     10.       Create custom AWS console URL.
a.       Navigate to Services à Directory Services à Directory created above
b.       Enter the console access URL and click on Create
c.       Click on Enable button
d.       Enable AWS Management Console access

     11.       Add users to allow access the custom AWS console URL.
a.       Navigate to custom Delegate console access role
b.       Click on Add button to add the users created in AD to allow access to custom AWS URL
c.       Search the users created and click on Add
     12.       Login to Custom URL created for AD users and test the access.
a.       Access the URL and login using the user created
b.       Navigate to Services à EC2 and we should be able to access with full permission.
c.       Navigate to Services à S3 to ensure we are not having permission.
Note: Directory service role is created only with Full access to EC2. Hence, AD user won’t be able to access any other services in AWS.
Labels:

Comments

Post a Comment

Popular posts from this blog

NAT Instance

NAT Instance Requirement: Create EC2 instance in private Subnet and provide Internet access using NAT Instance Solution: 1.        Create One VPC with CIDR Range 10.0.0.0/16 2.       Create a private Subnet with CIDR Range 10.0.1.0/24 3.       Create a public Subnet with CIDR Range 10.0.2.0/24 4.       Create One Internet Gateway and assign to VPC. 5.       Create one custom Route table and associate Public Subnet. a.        Create a global route (0.0.0.0/0) and target to IGW 6.       Associate private subnet to default Route table 7.       Launch the Nat instance using the template from Community AMIs in public Subnet with Public IP enabled. 8.       Select the Nat Instance created à Action à Networking à Change Source/Dest. Check à   Yes, Disable button. 9.       Launch another EC2 instance in private Subnet with only Private IP. 10.   Note the Instance ID of the NAT Instance and identify the Network Interface ID from Network Interfac
Post a Comment
Read more

VPC Peering scenario

Requirement: Create 3 EC2 instances (Machine A, Machine B and Machine C)in 3 different VPCs(VPC A, VPC B, VPC C). We should be able to do SSH from Machine A to Machine B and from Machine B to Machine C. However, we should NOT be allowed to Machine B to Machine A as well as Machine C to Machine B Solution: 1.        Create two VPC with CIDR Range 10.0.1.0/24, 10.0.2.0/24 & 10.0.3.0/24 2.        Create Subnet in respective VPC with range same as VPC CIDR 3.        Create two Internet Gateway and attach to respective VPC. 4.        In default Route Table add the default Rule (0.0.0.0/0) and target to Internet Gateway. 5.        Create Peering connections (for VPC Peering) a.        Select the Source as VPC A and destination as VPC B b.        Accept the Peering request c.        Select the Source as VPC B and destination as VPC C d.        Accept the Peering request 6.        Edit Route table A and add the route to VPC B CIDR Range and target to VPC Pe
Post a Comment
Read more