Many purchasers I converse to make use of Energetic Listing to handle centralized consumer authentication and authorization for a wide range of functions and providers. For these clients, Energetic Listing is a essential piece of their IT Jigsaws.

At AWS, we provide the AWS Directory Service for Microsoft Active Directory that gives our clients with a extremely obtainable and resilient Energetic Listing service that’s constructed on precise Microsoft Active Directory. AWS manages the infrastructure required to run Energetic Listing and handles the entire patching and software program updates wanted. It’s absolutely managed, so for instance, if a website controller fails, our monitoring will robotically detect and substitute that failed controller.

Manually connecting a machine to Energetic Listing is a thankless job; you must hook up with the pc, make a sequence of guide modifications, after which carry out a reboot. Whereas none of that is significantly difficult, it does take time, and in case you have a number of machines that you simply need to onboard, then this job shortly turns into a time sink.

At this time the crew is unveiling a brand new characteristic which is able to allow a Linux EC2 occasion, as it’s launched, to connect with AWS Directory Service for Microsoft Active Directory seamlessly. This enhances the present characteristic that enables Home windows EC2 cases to seamlessly area be a part of as they’re launched. This functionality will allow clients to maneuver quicker and improves the expertise for Directors.

Now you possibly can have each your Home windows and Linux EC2 cases seamlessly hook up with AWS Directory Service for Microsoft Active Directory. The listing will be in your individual account or shared with you from one other account, the one caveat being that each the occasion and the listing have to be in the identical area.

To indicate you the way the method works, let’s take an present AWS Directory Service for Microsoft Active Directory and work via the steps required to have a Linux EC2 occasion seamlessly be a part of that listing.

Create and Retailer AD Credentials
To seamlessly be a part of a Linux machine to my AWS Managed Energetic Listing Area, I’ll want an account that has permissions to hitch cases into the area. Whereas members of the AWS Delegated Directors have enough privileges to hitch machines to the area, I’ve created a service account that has the minimal privileges required. Our documentation explains the way you go about creating this form of service account.

The seamless area be a part of characteristic must know the credentials of my lively listing service account. To attain this, I must create a secret utilizing AWS Secrets Manager with particularly named secret keys, which the seamless area characteristic will use to hitch cases to the listing.

Within the AWS Secrets Manager console I click on on the Retailer a brand new secret button, on the subsequent display screen, when requested to Choose a secret sort, I select the choice named Different sort of secrets and techniques. I can now add two secret key/values. The primary is known as awsSeamlessDomainUsername, and within the worth textbox, I enter the username for my Energetic Listing service account. The Second key is known as awsSeamlessDomainPassword, and right here I enter the password for my service account.

Since it is a demo, I selected to make use of the DefaultEncryptionKey for the key, however you may resolve to make use of your individual key.

After clicking subsequent, I’m requested to present the key a reputation. I add the next title, changing d-xxxxxxxxx with my listing ID.

aws/directory-services/d-xxxxxxxxx/seamless-domain-join

The area be a part of will fail should you mistype this title or in case you have any main or ending areas.

I take be aware down the Secret ARN as I’ll want it after I create my IAM Coverage.

Create The Required IAM Coverage and Function
Now I must create an IAM coverage that provides permission to learn my seamless-domain-join secret.

I register to the IAM console and select Insurance policies. Within the content material pane, I choose Create coverage. I change over to the JSON tab and duplicate the textual content from the next JSON coverage doc, changing the Secrets and techniques Supervisor ARN with the one I famous down earlier.


    "Model": "2012-10-17",
    "Assertion": [
        
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Useful resource": [
                "arn:aws:secretsmanager:us-east-1:############:secret:aws/directory-service/d-xxxxxxxxxx/seamless-domain-join-example"
            ]
        
    ]

On the Evaluation web page, I title the coverage SeamlessDomainJoin-Secret-Readonly then select Create coverage to save lots of my work.

Now I must create an IAM Function that may use this coverage (and some others). Within the IAM Console, I select Roles, after which within the content material pane, select to Create function. Beneath Choose sort of trusted entity, I choose AWS service after which choose EC2 as a use case and click on Subsequent:Permissions.


I connect the next insurance policies to my Function: AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, and SeamlessDomainJoin-Secret-Readonly.

I click on via to the Evaluation display screen the place it asks for a Function title, I name the function EC2DomainJoin, however it may very well be known as no matter you want. I then create the function by urgent the button on the backside proper of the display screen.

Create an Amazon Machine Picture
Once I launch a Linux Occasion later I might want to choose a Linux Amazon Machine Picture (AMI) as a template. At present, the default Linux AMIs don’t comprise the model of AWS Systems Manager agent (SSM agent) that this new seamless area characteristic wants. Subsequently I’m going to should create an AMI with an up to date SSM agent. To do that, I first create a brand new Linux Instance in my account after which hook up with it utilizing my SSH consumer. I then observe the documentation to replace the SSM agent to 2.3.1644.zero or newer. As soon as the occasion has completed updating I’m then in a position to create a brand new AMI based mostly on this occasion utilizing the next documentation.

I now have a brand new AMI which I can use within the subsequent step. Sooner or later, the bottom AMIs shall be up to date to make use of the newer SSM agent, after which we are able to skip this part. If you’re to know what model of the SSM agent an occasion is utilizing this documentation explains how one can examine.

Seamless Be part of
To start out, I must create a Linux occasion, and so I head over to the EC2 console and select Launch Occasion.

Subsequent, I choose a Linux Amazon Machine Picture (AMI). I choose the AMI which I created earlier.

When configuring the occasion, I’m cautious to decide on the Amazon Virtual Private Cloud that incorporates my listing. Utilizing the drop-down labeled Area be a part of listing I’m able to choose the listing that I need this occasion to hitch.

Within the IAM function, I choose the EC2DomainJoin function that I created earlier.

Once I launch this occasion, it can seamlessly be a part of my listing. As soon as the occasion comes on-line, I can verify all the pieces is working accurately by utilizing SSH to connect with the occasion utilizing the administrator credentials of my AWS Directory Service for Microsoft Active Directory.

This new characteristic is out there from at this time, and we sit up for listening to your suggestions about this new functionality.

Completely happy Becoming a member of

— Martin





Leave a Reply

Your email address will not be published. Required fields are marked *