AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

步骤 4:测试将 EC2 无缝地加入域

您可以使用以下两种方法之一来测试无缝域加入。

方法 1:使用 Amazon EC2 控制台测试域加入

在目录使用者账户中使用此步骤。

  1. 登录 AWS 管理控制台并通过以下网址打开 Amazon EC2 控制台 https://console.amazonaws.cn/ec2/

  2. From the region selector in the navigation bar, choose the same region as the existing directory.

  3. From the Amazon EC2 console dashboard, choose Launch Instance.

  4. On the Step 1 page, choose Select for the appropriate AMI.

  5. On the Step 2 page, select the appropriate instance type, and then choose Next.

  6. On the Step 3 page, do the following, and then choose Next :

    1. For Network, choose the VPC that your directory was created in.

    2. For Subnet, choose one of the public subnets in your VPC. The subnet that you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.

    3. For Auto-assign Public IP, choose Enable (if the subnet setting is not set to enable by default). For more information about public and private IP addressing, see Amazon EC2 Instance IP Addressing in the Amazon EC2 User Guide for Linux Instances.

    4. For Domain join directory, choose your domain from the Domain join directory list. To seamlessly join the instance, you also need an IAM role that has the AmazonEC2RoleforSSM managed policy attached to it. From the IAM role list, choose the IAM role that has this policy. If you choose this option, you do not have to manually join the instance to the domain as that will be done for you when the instance is launched.

      注意

      This option is only available for Windows instances. Linux instances must be manually joined to the directory as explained in 手动加入 Linux 实例.

    5. For IAM role, optionally choose the Create new IAM role link to create a new IAM role and attach the AmazonEC2RoleforSSM policy. Then on the Roles page, do the following:

      1. Choose Create role.

      2. Under AWS service, choose the EC2 link, and then click Next.

      3. Under Select your use case, choose EC2, and then choose Next.

      4. In the list of policies, select the EC2 Role for Simple Systems Manager policy (AmazonEC2RoleforSSM), and then choose Next.

      5. For Role name, enter a name for your new role (such as EC2DomainJoin). For Role description, enter a description (optional). Then choose Create role.

  7. Go back to the Step 3 page. For IAM role, choose the refresh icon next to IAM role. Your new role should be visible in the menu. Choose it and leave the rest of the settings on this page with their default values. Then choose Next.

  8. On both the Step 4 and Step 5 pages, leave the default settings or make changes as needed, and then choose Next.

  9. On the Step 6 page, select a security group for the instance that has been configured to allow remote access to the instance from your network, and then choose Review and Launch.

方法 2:使用 AWS Systems Manager 控制台测试域加入

在目录使用者账户中使用此步骤。要完成此过程,您需要有关目录所有者账户的一些信息。

注意

确保将 AmazonEC2RoleforSSM 托管策略附加到您的实例的 IAM 角色权限,然后再开始此过程中的步骤。有关更多信息,请参阅 IAM 用户指南 中的托管策略与内联策略

  1. 登录 AWS 管理控制台 并通过以下网址打开 AWS Systems Manager 控制台:https://console.aws.amazon.com/systems-manager/

  2. 在导航窗格中,选择 Run Command

  3. 选择 Run a Command

  4. Run a command (运行命令) 页面上,搜索 AWS-JoinDirectoryServiceDomain。当它显示在搜索结果中时,选择 AWS-JoinDirectoryServiceDomain 选项。

  5. 向下滚动到 Command parameters (命令参数) 部分。您必须提供以下参数:

    • Directory Id (目录 ID) - 对于目录使用者账户。

      注意

      您可以通过返回 AWS Directory Service 控制台,选择 Directories shared with me (与我共享的目录),选择您的目录,然后在 Shared directory details (共享目录详细信息) 部分中查找值,从而找到 Directory Id (目录 ID) 值。

    • Directory Name (目录名称) - 对于目录所有者账户。

    • Dns Ip Addresses (DNS IP 地址) - 对于目录所有者账户。

    注意

    您可以通过返回 AWS Directory Service 控制台,选择 Directories shared with me (与我共享的目录),选择您的目录,然后查看在 Owner directory details (所有者目录详细信息) 中找到的属性,从而找到 Directory Name (目录名称)Dns Ip Addresses (DNS IP 地址) 的值。

  6. Targets (目标) 部分中,选择您希望加入域的实例。

  7. 保留窗体的剩余部分设置为其默认值,向下滚动页面,然后选择 Run (运行)

  8. 在导航窗格中,选择托管实例

  9. 通过查看列表中的实例来确认成功加入域的实例。如果 Association Status (关联状态) 显示 Success (成功),则您的实例已成功加入域。

完成任一过程的步骤之后,您现在应该能够将您的 EC2 实例加入域。完成此操作后,您可以通过远程桌面协议 (RDP) 客户端使用 AWS Managed Microsoft AD 用户账户中的凭证登录您的实例。