Launching a directory administration instance in your Amazon Managed Microsoft AD Active Directory
This procedure launches an Amazon EC2 directory administration Windows instance in the Amazon Web Services Management Console using Amazon Systems Manager Automation to manage your directories. You can also accomplish this by running the automation Amazon-CreateDSManagementInstance in the Amazon Systems Manager Automation console directly.
For more information, see the following links:
Prerequisites
The following prerequisites are required to complete this tutorial:
You'll need to set up Amazon Systems Manager. For more information, see Setting up Amazon Systems Manager.
You'll need an IAM instance profile role that allows Systems Manager and Amazon Managed Microsoft AD.
-
For more information on Systems Manager, see Configure instance permissions required for Systems Manager.
-
The IAM instance role needs the following Amazon managed policies so your EC2 directory administration Windows instance can domain join your Amazon Managed Microsoft AD:
-
AmazonSSMManagedInstanceCore
-
AmazonSSMDirectoryServiceAccess
-
-
The VPC connected to your Amazon Managed Microsoft AD needs to allow access to public Amazon Directory Service endpoints. For more information, see Prerequisites for creating a Amazon Managed Microsoft AD.
You must have the following permissions enabled in your account to launch a directory administration EC2 instance from the console:
-
ds:DescribeDirectories
-
ec2:AuthorizeSecurityGroupIngress
-
ec2:CreateSecurityGroup
-
ec2:CreateTags
-
ec2:DeleteSecurityGroup
-
ec2:DescribeInstances
-
ec2:DescribeInstanceStatus
-
ec2:DescribeKeyPairs
-
ec2:DescribeSecurityGroups
-
ec2:DescribeVpcs
-
ec2:RunInstances
-
ec2:TerminateInstances
-
iam:AddRoleToInstanceProfile
-
iam:AttachRolePolicy
-
iam:CreateInstanceProfile
-
iam:CreateRole
-
iam:DeleteInstanceProfile
-
iam:DeleteRole
-
iam:DetachRolePolicy
-
iam:GetInstanceProfile
-
iam:GetRole
-
iam:ListAttachedRolePolicies
-
iam:ListInstanceProfiles
-
iam:ListInstanceProfilesForRole
-
iam:PassRole
-
iam:RemoveRoleFromInstanceProfile
-
iam:TagInstanceProfile
-
iam:TagRole
-
ssm:CreateDocument
-
ssm:DeleteDocument
-
ssm:DescribeInstanceInformation
-
ssm:GetAutomationExecution
-
ssm:GetParameters
-
ssm:ListCommandInvocations
-
ssm:ListCommands
-
ssm:ListDocuments
-
ssm:SendCommand
-
ssm:StartAutomationExecution
-
ssm:GetDocument
-
Launching a directory administration EC2 instance in the Amazon Web Services Management Console
-
Sign in to the Amazon Directory Service console
. -
Under Active Directory, choose Directories.
-
Choose the Directory ID of the directory where you want to launch a directory administration EC2 instance.
-
On the directory page, in the top right corner, choose Actions.
-
In the Actions dropdown list, choose Launch directory administration EC2 instance.
-
On the Launch directory administration EC2 instance page, under Input parameters, complete the fields.
-
(Optional) You can provide a key pair for the instance. From the Key Pair Name - optional dropdown list, select a key pair.
-
(Optional) Choose View Amazon CLI command to see an example that you use in the Amazon CLI to run this automation.
-
-
Choose Submit.
-
You're taken back to the directory page. A green flashbar displays at the top of your screen to indicate that you successfully began the launch.
Viewing directory administration EC2 instance
If you haven't launched any EC2 instances for a directory, a dash (-) displays under Directory administration EC2 instance.
-
Under Active Directory, choose Directories and select the directory you want to view.
-
Under Directory details, under Directory administration EC2 instance, choose one or all of your instances to view.
-
When you choose an instance, you're routed to the EC2 Connect to instance page to connect a remote desktop to your instance.