Use EC2 to Build Windows Active Directory
Active Directory(AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.
A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information, provides authentication and authorization mechanisms and establishes a framework to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services, and Rights Management Services.
Please follow our instructions to create EC2 instance x 2, VPC, subnet, Innternet Gateway , Security Group, route table, and DHCP Options Sets
List of Contents
- Create EC2 windows Instance
- Connect to EC2 windows Instance
- Create Active Directory Domain Service
- Set DHCP Options Sets in AWS
- Join Domain
- Clean Resources
Imagine when you have hundreds of computers to manage today, how can I log in to each computer with a single user? Add one user to each computer? It’s a time-consuming job, not to mention that if you need to change your password, you have to go through the same thing. Windows Active Directory lets you centrally manage resources in your domain, including computers, users, printers, files, and more.
In this tutorial, we will create EC2 instances x2, one for hosting AD DS, one for playing the role of a new PC to join the domain we created. Conducive to AD DS, we could control the computer and users conveniently
If your OS is macOS, please download Remote Desktop
If your OS is windows, please download Remote Desktop
An AWS account.
Make sure the region is US East (N. Virginia), which its short name is us-east-1.
Create EC2 Windows Instance
Now, we create two EC2 Windows instances to simulate the scenario, one that we will use to host the AD service and the other to join the domain we created. Imagine having hundreds of hosts today and joining the domain, we can manage them centrally! What a convenient service!
Login to AWS console and make sure the region is N. Virginia.
On upper panel, click Services -> EC2.
Click Launch Instance.
For AMI, select Microsoft Windows Server 2012 R2 Base (which its AMI ID is ami-0c34e56c5b17e933d) .
For instance type, choose t2.micro and click Next: Configure Instance Details.
In Number of instances, Type
In Network, click Create new VPC.
In IPv4 CIDR block, Type
172.31.0.0/16, let other options default.
Remember your VPC ID.
Back to Configure Instance Details, click Create new Subnet.
In Name tag, type AD Lab subnet, select the VPC ID we just create.
- In VPC panel, click route table -> create route table.
In Name Tag type AD Lab route table and select the VPC we create.
Select the route table we create and click Actions -> Set Main Route Table.
In VPC Dashboard click Internet gateway, then create internet gateway.
In Name tag, type AD Lab Internet Gateway, create.
Select the internet gateway we create and click Actions -> Attach to VPC.
Choose our VPC -> Attach.
Back to route table choose the route table we create and Edit routes,
In Auto-assign Public IP, select Enable.
Back to Configure Instance Details keep rest setting as the default until Step 5: Add Tags.
In Key type
Name, Value type
In Step 6: Configure Security Group select create a new security group, security group name type
Add Rule -> Type :
All traffic, source :
Add rules -> Type :
RDP, source : my IP -> Review and Launch.
Click Create a new key pair.
In Key pair name, type ADLab.
Click Download Key Pair to download key pair file.
Note that you can only download the key pair file this time. You will not be able to download the file again after it’s created.
Click Launch Instances.
Click View Instances.
- Now we connect the EC2 we create, in EC2 Dashboard -> instances, we can modify one EC2’s Name as AD Lab PC01 and the other as AD Lab AD.
Connect to EC2 Windows Instance
Remote Connecting to an EC2 Windows instance and configure the Active Directory service we want to create, first by adding Server Promote for DC, plus Active Directory, then create our own domain.
In the Amazon EC2 console, select AD Lab AD, and then choose Connect.
In the Connect To Your Instance dialog box, choose Get Password(it will take a few minutes after the instance is launched before the password is available).
Choose Browse and navigate to the private key file you created when you launched the instance. Select the file and choose Open to copy the entire contents of the file into the Contents field.
Choose Decrypt Password. The console displays the default administrator password for the instance in the Connect To Your Instance dialog box, replacing the link to Get Password shown previously with the actual password.
Record the default administrator password, or copy it to the clipboard. You need this password to connect to the instance.
- Please remember IPv4 Public IP and Private IPs we will use later, open Microsoft Remote Desktop -> add Desktop -> type your IPv4 Public IP in PC Name -> Save.
Double click the Desktop you add.
User Name :
Administrator, Password : (copy from the clipboard) -> Done.
- A warning will pop out like the picture, just click continue.
if you fail to connect EC2 windows instance, please check the IP and Password is correct.
Create Active Directory Domain Service
Create your own domain and add AD services to manage any computers that are joined to the domain through AD. You can even manage which users can log on to computers in the domain and set permissions on computers and users within the domain.
Click Server Manager icon in the bottom -> click Add roles and Features.
Click Next until Server Roles.
In Server Roles check the Active Directory Domain Services and DNS Server.
When you click the DNS Server and add features, a warning will pop out, just click Continue.
- Click Next until Confirmation, and click Install.
wait for EC2 windows instance to install tools and services.
- Click close to continue -> click the flag in the upper-righ corner -> Promote this server to a domain controller.
- In Deployment Configuration choose Add a new forest, after Typing your Root domain name
In Domain Control Option, Type the DSRM password
Password should be strong, At least a combination of uppercase and lowercase letters, numbers, and symbols
Click Next until Prerequisites Check -> Install
EC2 windows instance will reboot when the installation has been done, Now we connect the EC2(AD Lab AD) Again to check it is already an AD and DC
Set DHCP Options Sets in AWS
Since we did not create a domain when we created a VPC, our VPC does not recognize our domain. By setting up a DHCP Options Sets, let the VPC know the domain we created and the domain name server.
- Open AWS Console -> Service:VPC -> DHCP Options Sets
- Create a DHCP Options Sets like the following picture,
Name : AD Lab, Domain Name :
ADLAB.com, Domain Name Server : Private IPs(AD LAB AD’s) -> let rest column empty.
Remember your DHCP Options set ID, then we have to Edit DHCP Options set in our VPC.
In VPC Dashboard -> select the VPC we create -> Actions -> Edit DHCP Options set -> choose the DHCP Option set that we just created.
Now that we connect to another EC2 and add it to the domain we created, we can centrally manage computers or users through AD after joining the domain, and in this process, you will find that to join the domain requires a confirmation from the domain administrator.
- Now we could connect to EC2(AD LAB PC01) to join the Domain we have created a few minutes ago.
As the same method we used before.
Login your EC2(AD LAb PC01) -> open Server Manager -> click local Server in the left panel -> click WORKGROUP -> click Change.
Computer name type
We have to Type the AD’s user name and password to join
ADLAB.comDomain -> Press OK.
Here, we need to fill the EC2(AD LAB AD)‘s username:
Password**: in your clipboard.
- The System will ask you to restart your computer to apply these changes, so click Restart Now.
Check PC01 has already in
- Now we could connet to AD LAB AD -> Open Server Manager -> click tools which is next to the flag -> click Active Directory Users and Computers.
- Click Computers under the ADLAB Domain, you can see PC01 has already in here.
Create Organizational Unit(OU)
- Right click
ADLAB.com– > New -> Organizational Unit -> Name this Object, in here we create a TEST Object -> OK.
depending on the organization you design, can classify by department
Create a user in this OU
Right click TEST -> New -> User.
Fill in the user information and user logon name ->Press Next.
- Set password for this user, in this tutorial, we don’t use the following rules. So please cancel the check. >> the password should be strong
You also can check the box to enforce the user changing his password when he/she first login this computer.
Click Next -> Finish.
Check this User has already created and under the TEST(OU).
Right click JonnyDD this user -> add to a group -> type remote -> Check Names -> Remote Desktop Users.
Now we connect to PC01 ->
User Name: Administrator,
Password: copy from the clipboard.
We have to use Administrator to log in this EC2 and add JonnyDD to Remote Desktop Users.
- Open Control Panel -> System and Security -> Allow remote access
Select Users -> Add -> type Jonny -> Check Names -> a window will pop out like this picture
It needs AD’s Administrator permission,
Passwordwe have copied before in the clipboard.
If you do not copy before, please go to AWS EC2 Console -> Select the EC2(AD LAB AD) -> Connect -> Get Password -> Choose File -> Select the Key Pair we create before -> Decrypt Password -> you will get the password.
- Press OK -> now we Disconnect and use JonnyDD as User name to login this EC2 again.
- Shut down the EC2 you create.
- Delete the VPC, subnet, security group, route table, DHCP Options sets, internet gateway.
You have learned: Set up your own VPC, subnet, security group, route table, DHCP Options Sets, internet gateway and use EC2 Windows entities to set up Widows Active Directory and create your own domain to manage the users and computers in the domain. What is the benefit of using Windows Active Directory to manage your network environment? Centralized server management for your computer account passwords, enhanced computer security, and created complete company employee data through Active Directory.Software installation prevents employees from installing dangerous software, resulting in data outflow and theft, but company-essential software can also be managed through Active Directory administrators once the server dispatches the software to the computer, it is also possible to update the version of the computer in the domain. Centralized management also reduces the maintenance staff in the company’s network environment and reduces management time and costs, even printers and network drives can be uniformly managed by Active DirectoryServers are centrally managed to increase the security of your corporate network environment through permissions control of shared folders and computer folders. For companies across regions, they can also be managed centrally through a unified connection to Active Directory servers.