As part of this module you will login to Active Directory on EC2, create users and groups and prepare it for trust relationship. Login to Remote Desktop Gateway of DS AD and prepare it for trust relationship and establish trust relationship.
Objective of this module is to enable SSO using your existing directory in on-premise environment. For ease of lab we have created an AD on EC2 instance which shall be considered as on-premise AD. You will establish a trust relationship between your on-premise AD and AD on DS in the similar way to configure SSO.
Table of Contents:
- Login to the Remote Desktop Gateway
- Prepare AD on EC2 for trust relationship
- Create trust relationship between AD on EC2 & AD on DS
- Expected Outcome
-
Login to "Shared Services Account" with PayerAccountAccessRole role created as part of account creation using the cross account switch role capability.
-
Change the region to Ireland (eu-west-1) by selecting the region from the top right of Management Console.
-
Navigate to CloudFormation console and select the stack that you created as part of Create Active Directory for SSO module (e.g. LZ-Active-Directory).
-
From the output section use the value of key 'RemoteDesktopGatewayIP' and login to it using the RDP client. Use the the value of 'ADonDSDomainAdminUser' from the output section of the stack as username and the password you provided for parameter 'DSDomainAdminPassword' while launching the stack.
-
Also save the value of keys 'ADDomainController1' and 'ADonDSDomainAdminUser' it will be used in the next step.
Tip:
If you haven’t changed the password while launching the stack you shall find the value for DSDomainAdminPassword in parameter file landing-zone-active-directories-parameters.json
Note:
Domain Controllers on EC2 are in private subnet hence use the Remote Desktop Gateway as a stepping server.
-
From within the Remote Desktop Gateway server which you have logged in the above step, launch RDP client and connect to Domain Controller 1 (DC1) with IP address from the value of key 'ADDomainController1' (e.g. 10.0.0.10).
-
Use the value of key 'ADonEC2DomainAdminUser' as the username and the password you provided for parameter 'DomainAdminPassword' while launching the stack.
Tip:
If you haven’t changed the password while launching the stack you shall find the value for DomainAdminPassword in parameter file landing-zone-active-directories-parameters.json
-
Configure DNS Conditional Forwarders for your domain on EC2 instances as explained in the documentation.
From the above documentation only perform the steps under heading "Configure DNS Conditional Forwarders for Your On-premises Domain"
-
Download ADConfig.zip file directly inside DC1 machine from this S3 location and extract the zip file.
Using CLI:
Download the file
Invoke-WebRequest -Uri https://s3.amazonaws.com/arc325-reinvent2017/ADConfig.zip -OutFile "C:\ADConfig.zip"
-
Open PowerShell as Administrator and navigate to the ADConfig directory that you downloaded and extracted in previous step.
-
Run the script titled 'CreateUsersAndGroups.ps1'. It will create the required AD Groups.
-
When it prompts for the password for the users to be created in AD, enter a strong password with upper case, lower case & numbers between 8 to 20 characters. It will then create the Users, add the users to appropriate group. NOTE: List of users and groups can be found in users.csv & groups.csv file.
-
Configure trust relationship at AD on EC2, by following this tutorial on DC1.
- At step 3, provide
landingzone.awsfor the remote domain name.
- At step 3, provide
-
Configure trust relationship at AD on DS by providing the appropriate parameters.
- Remote domain name - Domain name that you have provided for AD on EC2. (If you have not changed the default value then it would be
landingzone-op.aws). - Trust password - The password that you provided in the above Step 1 while enabling trust relationship at AD on EC2.
- Trust direction - Select 'Two-Way'
- Conditional forwarder - Enter '10.0.0.10' in the first field and click "Add IP address" and in the next field enter '10.0.32.10'
- Remote domain name - Domain name that you have provided for AD on EC2. (If you have not changed the default value then it would be
Using CLI:
-
Get the directory id of the directory service AD on DS using the below command. If you have changed the domain name for AD on DS, update the value to be grep’ed appropriately.
aws ds describe-directories --region eu-west-1 --profile sharedserv --query 'DirectoryDescriptions[*].{ID:DirectoryId,Domain:Name}' --output text | grep landingzone.aws landingzone.aws d-9876543exp -
Execute the following command by providing the appropriate values for the parameters.
- --directory-id : Value that you obtained in previous command.
- --remote-domain-name : Domain name that you have provided for AD on EC2. (If you have not changed the default value then it would be
landingzone-op.aws). - --trust-password : The password that you provided while configuring trust relationship at AD on EC2.
aws ds create-trust --remote-domain-name landingzone-op.aws --trust-direction Two-Way --trust-type Forest --conditional-forwarder-ip-addrs 10.0.0.10 10.0.32.10 --region eu-west-1 --profile sharedserv --directory-id d-9876543exp --trust-password securepassword
{ "TrustId": "t-23963c9367" } -
Check the state of the trust by providing the correct
--directory-idafter few minutes and it should be 'Verified'.aws ds describe-trusts --region eu-west-1 --profile sharedserv --query 'Trusts[*].{TrustId:TrustId,State:TrustState}' --output text --directory-id d-9876543exp
Verified t-23963c9367
- Successfully logged in Remote Desktop Gateway and EC2 Domain Controller.
- Created DNS Conditional Forwarder in AD on EC2.
- Created AD Groups & Users by running the PowerShell script.
- Configured Trust Relationship in AD on EC2.
- Configured Trust Relationship in AD on DS.
- Successfully verified the trusted relationship.
