Step 3: Deploy an EC2 instance to manage your AWS Managed Microsoft AD - AWS Directory Service
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Step 3: Deploy an EC2 instance to manage your AWS Managed Microsoft AD

对于本实验,我们将使用具有公有 IP 地址的 EC2 实例,使其易于从任意位置访问管理实例。在生产设置中,您可以使用在私有 VPC 中的实例,这些实例只能通过 VPN 或 Amazon Direct Connect 链接访问。对于实例是否具有公有 IP 地址没有要求。

在此部分中,您将演练在新 EC2 实例上,使用 Windows Server 将客户端计算机连接到域所需的各种部署后任务。在下一步中,您将使用 Windows Server 来验证实验室正常运行。

Optional: Create a DHCP options set in AWS-DS-VPC01 for your directory

在此可选过程中,您设置 DHCP 选项范围,使得 VPC 中的 EC2 实例自动将您的 AWS Managed Microsoft AD 用于 DNS 解析。For more information, see DHCP options sets.

为目录创建 DHCP 选项集

  1. 打开 Amazon VPC 控制台 https://console.amazonaws.cn/vpc/

  2. 在导航窗格中,选择 DHCP Options Sets,然后选择 Create DHCP options set.

  3. On the Create DHCP options set page, provide the following values for your directory:

    • 对于 Name,键入 AWS DS DHCP.

    • 对于 Domain name (域名),键入 corp.example.com.

    • For Domain name servers, type the IP addresses of your AWS provided directory's DNS servers.

      注意

      To find these addresses, go to the AWS Directory Service Directories page, and then choose the applicable directory ID, On the Details page, identify and use the IPs that are displayed in DNS address.

    • Leave the settings blank for NTP servers, NetBIOS name servers, and NetBIOS node type.

  4. 选择创建 DHCP 选项集,然后选择关闭. 新的 DHCP 选项集会出现在您的 DHCP 选项列表中。

  5. Make a note of the ID of the new set of DHCP options (dopt-xxxxxxxx). You use it at the end of this procedure when you associate the new options set with your VPC.

    注意

    无缝域加入发挥作用,而无需配置 DHCP 选项集。

  6. In the navigation pane, choose Your VPCs.

  7. In the list of VPCs, select AWS DS VPC, choose Actions, and then choose Edit DHCP options set.

  8. 编辑 DHCP 选项集页面上,选择您在步骤 5 中记录的选项集,然后选择保存.

Create a role to join Windows instances to your AWS Managed Microsoft AD domain

使用此过程可配置将 EC2 Windows 实例加入域中的角色。For more information, see Seamlessly join a Windows EC2 instance in the Amazon EC2 用户指南(适用于 Windows 实例).

配置 EC2 以将 Windows 实例加入域中

  1. 通过以下网址打开 IAM 控制台:https://console.amazonaws.cn/iam/

  2. 在 IAM 控制台的导航窗格中,选择 Roles,然后选择 Create role.

  3. 选择受信任实体的类型下,选择 AWS 服务.

  4. 在紧靠选择将使用此角色的服务下面,选择 EC2,然后选择下一步:权限.

  5. On the Attached permissions policy page, do the following:

    • Select the box next to the AmazonSSMManagedInstanceCore managed policy. 此策略提供了使用 Systems Manager 服务所需的最低权限。

    • Select the box next to AmazonSSMDirectoryServiceAccess managed policy. 该策略提供了将实例加入由 托管的 Active Directory 的权限。AWS Directory Service.

    For information about these managed policies and other policies you can attach to an IAM instance profile for Systems Manager, see Create an IAM instance profile for Systems Manager in the AWS Systems Manager 用户指南. For information about managed policies, see AWS Managed policies in the IAM 用户指南.

  6. 选择下一步: 标签.

  7. (可选)添加一个或多个标签键/值对以组织、跟踪或控制该角色的访问,然后选择下一步:审核.

  8. For Role name, enter a name for the role that describes that it is used to join instances to a domain, such as EC2DomainJoin.

  9. (Optional) For Role description, enter a description.

  10. 选择创建角色. The system returns you to the Roles page.

Create an EC2 instance and automatically join the directory

在此过程中,您将在 Amazon EC2 中设置 Windows Server 系统,该系统稍后可用于在 Active Directory 中管理用户、组和策略。

创建 EC2 实例并自动加入目录

  1. 打开 Amazon EC2 控制台 https://console.amazonaws.cn/ec2/

  2. 选择 Launch Instance.

  3. On the Step 1 page, next to Microsoft Windows Server 2019 Base - ami-xxxxxxxxxxxxxxxxx choose Select.

  4. Step 2 (步骤 2) 页面上,选择 t3.micro(注意,您可以选择更大的实例类型),然后选择 Next: Configure Instance Details (下一步:配置实例详细信息).

  5. On the Step 3 page, do the following:

    • For Network, choose the VPC that ends with AWS-DS-VPC01 (for example, vpc-xxxxxxxxxxxxxxxxx | AWS-DS-VPC01).

    • For Subnet choose Public subnet 1, which should be preconfigured for your preferred Availability Zone (for example, subnet-xxxxxxxxxxxxxxxxx | AWS-DS-VPC01-Subnet01 | us-west-2a).

    • For Auto-assign Public IP, choose Enable (if the subnet setting is not set to enable by default).

    • For Domain join directory, choose corp.example.com (d-xxxxxxxxxx).

    • For IAM role choose the name you gave your instance role in Create a role to join Windows instances to your AWS Managed Microsoft AD domain, such as EC2DomainJoin.

    • 将其他设置保留为默认值。

    • 选择 Next: Add Storage.

  6. Step 4 页面上,保留默认设置,然后选择 Next: Add Tags.

  7. Step 5 页面上,选择 Add Tag. 在 Key (键) 下,键入 corp.example.com-mgmt,然后选择 Next: Configure Security Group (下一步: 配置安全组).

  8. On the Step 6 page, choose Select an existing security group, select AWS DS RDP Security Group, and then choose Review and Launch to review your instance.

  9. Step 7 页面上,查看页面,然后选择 Launch.

  10. On the Select an existing key pair or create a new key pair dialog box, do the following:

    • 选择 Choose an existing key pair.

    • Select a key pair 下,选择 AWS-DS-KP.

    • Select the I acknowledge... check box.

    • 选择 Launch Instances.

  11. Choose View Instances to return to the Amazon EC2 console and view the status of the deployment.

Install the Active Directory tools on your EC2 instance

您可以从两种方法中选择,在 EC2 实例上安装 Active Directory 域管理工具。You can use the Server Manager UI (recommended for this tutorial) or Windows PowerShell.

To install the Active Directory tools on your EC2 instance (Server Manager)

  1. 在 Amazon EC2 控制台中,选择 Instances (实例),选择您刚刚创建的实例,然后选择 Connect (连接).

  2. 连接到您的实例对话框中,选择获取密码以检索您的密码(如果您尚未这样做),然后选择下载远程桌面文件.

  3. Windows Security (Windows 安全) 对话框中,键入 Windows Server 计算机的本地管理员凭证以登录(例如,administrator).

  4. Start 菜单中选择 Server Manager.

  5. Dashboard 中,选择 Add Roles and Features.

  6. Add Roles and Features Wizard 中,选择 Next.

  7. Select installation type 页面上选择 Role-based or feature-based installation,然后选择 Next.

  8. Select destination server 页面上,请确保选中了本地服务器,然后选择 Next.

  9. Select server roles 页面上,选择 Next.

  10. On the Select features page, do the following:

    • Select the Group Policy Management check box.

    • 展开 Remote Server Administration Tools,然后展开 Role Administration Tools.

    • Select the AD DS and AD LDS Tools check box.

    • Select the DNS Server Tools check box.

    • 选择 Next (下一步).

  11. Confirm installation selections 页面上,查看信息,然后选择 Install. 功能安装完成后,以下新工具或管理单元将在“开始”菜单的“Windows 管理工具”文件夹中可用。

    • Active Directory 管理中心

    • Active Directory 域和信任

    • Active Directory Module for Windows PowerShell

    • Active Directory 站点和服务

    • Active Directory 用户和计算机

    • ADSI 编辑

    • DNS

    • 组策略管理

To install the Active Directory tools on your EC2 instance (Windows PowerShell) (Optional)

  1. Start Windows PowerShell.

  2. 键入以下命令。

    Install-WindowsFeature -Name GPMC,RSAT-AD-PowerShell,RSAT-AD-AdminCenter,RSAT-ADDS-Tools,RSAT-DNS-Server